secure socket ssl

8/8/2019 Secure Socket Ssl

1/22

SECURE SOCKET LAYER(SSL)&

HTTPS

Divey GuptaSunny Gajjar

B.Tech-IV

Computer Engg.

NIT-Surat


2/22

SSL???

TLS & SSL are cryptographic protocols forproviding secure communication.

Work on Application Layer of OSI Model

SSL encrypt the segments of network

connections at the Application Layer to ensuresecure end-to-end transit at the TransportLayer


3/22

HISTORY

Originally developed by Netscape

SSL ver. are 1,2 & 3

TLS 1.0 and TLS 1.1

Latest standard used :TLS 1.2


4/22

NEED OF SSL??

you have an online store or accept online

orders and credit cards

you offer a login or sign in on your site you process sensitive data such as address,

birth date, license, or ID numbers

you need to comply with privacy and securityrequirements

you value privacy and expect others to trust

you


5/22

How does it work??

What Happens When a Web Browser Connects to a Secure Web Site

A browser attempts to connect to a Web site secured with SSL.


6/22

HOW DOES SSL ENCRYPTION WORK?

Web servers and Web browsers rely on the Secure SocketsLayer (SSL) protocol to create a uniquely encrypted channelfor private communications over the public Internet.

Each SSL Certificate consists of a public key and a privatekey. The public key is used to encrypt information and theprivate key is used to decipher it.

When a Web browser points to a secured domain, a level ofencryption is established based on the type of SSLCertificate as well as the client Web browser, operatingsystem and host servers capabilities. That is why SSLCertificates feature a range of encryption levels such as "upto 256-bit".


7/22

Security Issues

Privacy: Messages encrypted using conventionalcryptography with shared key

eg: 3DES,RC2 etc

Key Exchange: Public key encryption

eg: RSA or Diffie-Hellman

Integrity: Message Authentication Code(MAC)eg: MD5, SHA1

Authentication


8/22

HOW DO I KNOW THAT A SITE HAS A

VALID SSL CERTIFICATE?


9/22


10/22

Certificate Authority(CA)

A CA issues digital certificates that containa public key and the identity of the owner.

In essence, the CA is responsible for saying "yes,this person is who they say they are, and we, theCA, verify that".

Providers: VeriSign and its acquisitions (whichinclude Thawte and Geotrust) have a 47.5% shareof the certificate authority market, followedby GoDaddy (23.4%), and Comodo (15.44%).


11/22

Latest Developments

Extended Validation (EV) SSL:EV SSL requires

a rigorous process ofWeb site authentication

and is considered the gold standard in the e-

commerce industry for authenticating the

legitimate identity of a Web site.

For combating increased phishing attacks


12/22

LIMITATIONS

SSL is designed to provide point-to-point security. Incase of multipleintermediary nodes exist between the two endpoints, point-to-pointsecurity fails and end-to-end security is required

Web Service Scenario: SOAP messages route through multipleintermediary nodes, those intermediary nodes will not be able toparticipate to operations

SSL encryption is at the transport level rather than at theapplication.

Messages are encrypted only during transmission over network

Other security mechanisms are required to handle security ofthe messages in an application or disk


13/22

HTTPS??

HTTPS (HTTP over SSL or HTTP Secure) is the

use of SSL or TLS as a sublayer under regular

HTTP application layering.

HTTPS connections are often used for

payment transactions.


14/22

DIFF BETWEEN HTTP & HTTPS

HTTP is a protocol for information to be

passed back and forth between web servers

and clients. It uses port 80.

HTTPS-It's all about keeping you secure. It

uses port 443.


15/22

HOW DOES SHTTP DIFFERS FROM

HTTPS

SHTTP is an alternative to the HTTPS URI

scheme for encrypting web communications

carried over HTTP. SHTTP authenticates a user.

SHTTP & HTTPS were both defined in 1990s

but NETSCAPE and MICROSOFT supported

HTTPS. HTTPS authenticates a server.


16/22

Problems with HTTPS and the Lock

Icon1. Upgrade from HTTP to HTTPS

2. Semantic attacks on certificates

3. Invalid certificates

4. Mixed content

-HTTP and HTTPS on the same page


17/22

HTTP HTTPS upgrade


18/22


19/22

HOW TO TRUST AN HTTPS CONN.

If the user trusts that its browser software correctlyimplements HTTPS with correctly pre-installed certificateauthorities.

If the user trusts the certificate authority to vouch only for

legitimate websites without misleading names. If the website provides a valid certificate (an invalid

certificate shows a warning in most browsers), which meansit was signed by a trusted authority.

If the certificate correctly identifies the website (e.g. visitinghttps://example and receiving a certificate for "Example Inc."and not anything else)

If either the intervening hops on the Internet aretrustworthy, or the user trusts the protocol's encryption

layer (TLS or SSL) is unbreakable by an eavesdropper.


20/22

Why is HTTPS not used for all web

traffic?Slows down web servers

Breaks Internet caching-ISPs cannot cache HTTPS traffic

-Results in increased traffic at web site

Incompatible with virtual hosting (older

browsers)


21/22

HOW TO CREATE HTTPS WITH OpenSSL

1. Generate a RSA private key

openssl genrsa -des3 -out server.key 1024

2. Generate a CSR (Certificate Signing Request)

openssl req -new -key server.key -out server.csr

3. Generating a Self-Signed Certificate

openssl x509 -req -days 365 -in server.csr -signkey server.key out

server.crt

4. Installing the Private Key and Certificate

cp server.crt /usr/local/apache/conf/ssl.crt

cp server.key /usr/local/apache/conf/ssl.key


22/22

Questions?

secure socket ssl

Documents