Pertemuan #10Secure HTTP (HTTPS)

Kuliah Pengaman Jaringan

The Plain Text HTTP

Consider the following HTTP request passed in clear text:

POST /search HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;)

Gecko/20020606Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 71

credit_card_num=1234567890123456&exp_date=2006-05&name=Chris%20Shiflett

Security For HTTP

We need a technology for HTTP that provides: Server authentication

Clients know they’re talking to the real server Client authentication

Servers know they’re talking to the real client Integrity

Servers & clients are safe from their data being altered Encryption

Clients & servers talk privately without fear of eavesdropping Efficiency

An algorithm fast enough for inexpensive clients and servers to use

Security For HTTP

Ubiquity Protocols are supported by virtually all clients and servers

Administrative scalability Instant secure communication for anyone, anywhere

Adaptibility Supports the best known security methods of the day

HTTPS Overview

Stands for HTTP Secure HTTP sent over secure transport layer (Secure Socket Layer) The most popular secure form of HTTP Pioneered by Netscape Corp. In 1994, Netscape released the spec of Secure Socket Layer By 1995, version 3.0 of SSL was released Supported by all major browsers & servers Dramatically changed the way people used the web The URL will start with https:// instead of http:// Some browser also display iconic security cues

HTTPS Overview

HTTPS Overview

Secure Socket Layer (SSL) provides: Data Integrity

Can help ensure that HTTP data can’t be changed while in transit

Data Confidentiality Provides strong cryptographic techniques used to encrypt HTTP

messages Identification

Can offer reasonable assurance as to the identity of a Web Server

Can also be used to validate the identity of a client, but this is less common

HTTPS Overview

Compared with HTTP in TCP/IP Protocol Stack

Server Port: 80 Server Port: 443

HTTP & HTTPS Transactions

Initiate connection

HTTP & HTTPS Transactions

Exchange data

HTTP & HTTPS Transactions

Terminate connection

SSL Security Parameters Handshake

HTTPS Server Certificate

Site Certificate Validation

SSL doesn’t require you to examine the web server But modern browser do some simple sanity checks on

certificates, the steps are: Date check

Check start/end date, ensure cert is still valid Signer trust check

Cert is signed by well-known trusted Cerfiticate Authority Signature check

Check cert integrity by applying the signing CA’s public key to the signature and comparing it to the checksum

Site identity check Domain name in cert matches with the server they’re talking to

Certificate Authorities CA is used to assure that a particular public key belongs to a particular

person (or domain name, for example: its-sby.edu) CA is a trusted 3rd party that assures

the identity of a public key’s ownerwith a digital certificate

Digital cert is a document declaringa particular pub-key is owned bya particular web site

CA’s role is very similar to a notarywhose responsibility is to ensurethe correct identity ofpeople signing a legal document

Tunnelling Secure Traffic Through Proxies

Corporate firewall proxy

Tunnelling Secure Traffic Through Proxies

Proxy can’t read the encrypted HTTP header, so it won’t know where to forward the request

A few modifications are needed to tell the proxy where to connect

One popular technique is the HTTPS SSL tunnelling protocol

SSL Tunnelling

To allow SSL traffic to flow through proxy firewalls, a tunnelling feature was added to HTTP

Encrypted data is placed inside HTTP messages and sent through normal HTTP channels

SSL TunnellingTunnels let non-HTTP traffic flow through HTTP connections

SSL TunnellingDirect SSL connection vs. tunnelled SSL connection