HTTPS(수정중)

1. What is HTTPS / SSL / TLS / CA ?

★ HTTPS ★

: a secured version of HTTP. when the exchange of data is encrypted with SSL/TLS, we call it HTTPS ('S' stands for secure)

① Privacy: no one can eavesdrop on messages

② Integrity: the message is not manipulated on the way to its destination

③ Identification: can check that the message is coming from computer(a digital signature)

 

→ HTTPS, via SSL certificates, ensures you are connected exactly with the receiver you would expect

→ SSL certificate is valid and has been issued by a legitimate Certificate Authority(CA)

 

→ HTTPS needs a way to provide privacy, integrity, and identification on the web → 'encryption'

 

★ SSL(Secure Sockets Layer) / TLS★

: stands for Secure Sockets Layer (a protocol created by Netscape). SSL was renamed to TLS(Transport Layer Security). so SSL is the original and now deprecated protocol created at Netscape in the mid 90s → TLS is the new protocol for secured encryption on the web maintained by IETF

 

→ SSL is a family of encryption technologies that allows web users to protect the privacy of information they transmit over the internet. When you visit a secure website such as Gmail.com, you'll see a lock next to the URL, indicating that your communications with the site are encrypted. Here's what that looks like in Google's Chrome browser:

That lock is supposed to signal that third parties won't be able to read any information you send or receive. Under the hood, SSL accomplishes that by transforming your data into a coded message that only the recipient knows how to decipher. If a malicious party is listening to the conversation, it will only see a seemingly random string of characters, not the contents of your emails, Facebook posts, credit card numbers, or other private information. SSL was introduced by Netscape in 1994. In its early years, it was only used on a few types of websites, such as online banking sites. By the early 2010s, Google, Yahoo, and Facebook all used SSL encryption for their websites and online services. More recently, there has been a movement toward making the use of SSL universal. In 2015, Mozilla announced that future versions of the Firefox browser would treat the lack of SSL encryption as a security flaw, as a way to encourage all websites to upgrade. Google is considering taking the same step with Chrome.

 

→ using HTTP for secure transmissions

 The largest change to HTTP was made at the end of 1994. Instead of sending HTTP over a basic TCP/IP stack, the computer-services company Netscape Communications created an additional encrypted transmission layer on top of it: SSL. SSL 1.0 was never released to the public, but SSL 2.0 and its successor SSL 3.0 allowed for the creation of e-commerce websites. To do this, they encrypted and guaranteed the authenticity of the messages exchanged between the server and client. SSL was eventually standardized and became TLS. During the same time period, it became clear that an encrypted transport layer was needed. The web was no longer a mostly academic network, and instead became a jungle where advertisers, random individuals, and criminals competed for as much private data as possible. As the applications built over HTTP became more powerful and required access to private information like address books, email, and user location, TLS became necessary outside the e-commerce use case.

 

★ CA(Certificate Authorities) ★

: a third-party organization with 3 main objectives

 

① Issuing Certificates

② Confirming the identity of the certificate owner

③ Providing proof that the certificate is valid

 

→ becoming a CA is an intense task of security requirements and audits (need to be trusted to be accepted into a root store; a database of trusted CAs)

→  3 types of certificates

① domain validated: the certificate just verifies the domain name, and nothing else

② organization validated: the certificate requires the validation and manual verification of the organization behind the certificate

③ extended validation: the certificate requires an exhaustive verification of the business

 

→ all valid certificates result in the broswer displaying a secure badge in the browser bar

(EV certificates generally display the company name as well)

 

→ SSL/TLS certificates are used to establish trust between the client and server. They contain information about the identity of the server and are signed by a trusted third party (a Certificate Authority) to verify their authenticity.

 

★ Chain of Trust ★

① when a CA issues a certificate, sign the certificate with their root certificate (pre-installed in the root store)

② most of the time it's an intermediate certificate signed with a root certificate

③ broswer continues to look up the certificate that signed the intermediate certificate (root certificate)

④ the entire certificate chain is trusted, and thus the site certificate is trusted as well

(if the last certificate is not a root certificate, and there are no more certificates to download, the chain is untrusted)

⑤ self-signed certificate provides the same level of encryption but should avoid using them on public sites (can be forged)

→ almost every browser checks that the certificate is issued by a trusted authority

2. encryption algorithms

① Symmetric key algorithm

→ only one key to encrypt and decrypt a message → only the person that has a copy of the key can open the box and read the message → guarantees that no one can open until it reaches the person with the right key

→ it was transformed and spread out multiple times (each time obfuscating the message further) → to decrypt a message, need to apply the same steps, but in reverse order

 

→ the encryption key is mixed with the message → encryption algorithm & key are neccesity

→ One main issue with symmetric keys is that they are hard to share

 

② Asymmetric key algorithm

→ 2 keys → public & private (paired and work together)

: (1) share public key with anyone in plain text

: (2) browser puts the message in a box and locks it with public key → use private key to read the message

3. the Handshake

"the negotiation between a browser and a server"

: During the SSL/TLS handshake process, the client and server exchange information to negotiate the encryption algorithm and other parameters for the secure connection.

→ if an agreement is reached, browser is happy to display a green padlock on the address bar

 

① Client Hello: broswer send a list of SSL/TLS versions and encryption algorithms(cipher suite) → then wait for an answer from Server

 

② Server Hello: server choose the best SSL/TLS version and encryption algorithm → reply with it's certificate(including public key)

 

③ Client Key Exchange: broswer checks server's certificate to make sure it is legit → browser generate a 'pre-master key' (to use it later when generating a unique key) → encrypt that pre-master key with server's public key and send it to server

 

④ Change Ciphter spec: server use private key to decrypt the pre-master key → server & client both use asymmetric keys(public & private key) to encrypt the pre-master key so nobody could spy on it → they both generate the same 'shared secret' that will use as a symmetric key

 

browser encrypt with server's public key ← pre-master key → server use private key to decrypt it

 

⑤ Everything is now secured: now all data going back and forth between server & client is now secured

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

---

* source 1 in a comic..!) https://howhttps.works/why-do-we-need-https/

* source 2 cs.fyi guide in 'how does the internet work'!) https://cs.fyi/guide/how-does-internet-work#securing-internet-communication-with-ssltls