Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How I learned to understand HTTPS

How I learned to understand HTTPS

HTTPS explained easy way, suitable for non technical audience.

Giuseppe Mazzapica

September 27, 2018
Tweet

More Decks by Giuseppe Mazzapica

Other Decks in Technology

Transcript

  1. WP Meetup Catania 27 Settembre 2018
    How I
    to
    learned
    understand
    HTTPS

    View Slide

  2. WP Meetup Catania 27 Settembre 2018
    Giuseppe Mazzapica
    WordPress Engineer at Inpsyde
    Open Source Lover & Maintainer
    WordPress Stack Exchange Moderator
    WordCamp Speaker
    @gmazzap gmazzap.me

    View Slide

  3. WP Meetup Catania 27 Settembre 2018
    Servers are computers.
    Internet is not made of clouds,
    but it is made of servers
    Computers «talk» each
    other, in many different ways.

    View Slide

  4. WP Meetup Catania 27 Settembre 2018
    Various «languages» used by computers are called «protocols».
    Computers use different protocols for different purposes.
    The protocol used to «exchange» web pages data is
    HTTP: HyperText Transfer Protocol
    GET /awesome-cat.png
    Host: emergencykittens.tumblr.com
    200 OK
    Content-Length: 120321
    Content-Type: image/png
    Kg£™ä€´øîÙƺo{›ùêxãøönÊ"w¤ ¢\9’wyŒ@ÉP úÔÀ|ðó¦–× ¢\9’wyŒ@
    1o:ÓËÉ#÷.‹@ô1ÀàÅtlD 2N`+0;HA®þOÇÝÊ@$#W&Y—ÀOà@˜
    ¦²‹ úÔÀ úÔÀ
    É1¼^„«&óÀÌËÐKÅqƺo{›ùêxãøönÊ"w¤ ¢\9’wy úÔÀ úÔÀ úÔÀÙƺo{›

    View Slide

  5. WP Meetup Catania 27 Settembre 2018
    Communications among computers, are not that different from
    phone communications among humans: there is always the
    chance someone (more or less ill-intentioned) is listening...

    View Slide

  6. WP Meetup Catania 27 Settembre 2018
    The oldest way to defend ourself from anyone «eavesdropping»
    is to «speak in code».
    Modern cryptography used by computers
    is asymmetric: the encryption key and
    the decryption key are two different keys.

    View Slide

  7. WP Meetup Catania 27 Settembre 2018
    private key
    public key
    The sender knows
    only the public key and
    uses it for the encryption
    Original Data Encrypted Data Decrypted Data
    (same as original)
    Asymmetric
    Cryptography
    The keys «couple» is
    generated by the recipient

    View Slide

  8. WP Meetup Catania 27 Settembre 2018
    For asymmetric cryptography, who sends the message has
    to know the public key of the recipient.
    When computers communicate via HTTP, the public key of
    dei server è resa nota tramite un certificato.
    The cryptographic protol used to encrypt HTTP coomuncation
    is TSL, that is the successor of SSL, and certicates connecting
    a domain with a public key, enabling the encrypted
    communication, are often called «SSL certificates»

    View Slide

  9. WP Meetup Catania 27 Settembre 2018
    How I learned to understand...
    When HTTP communications are encrypted, thanks to an
    SSL certificate, we talk about HTTPS: that basically is a more
    «secure» variant of HTTP thanks to TSL encryption.

    View Slide

  10. WP Meetup Catania 27 Settembre 2018
    When we connect to a server which has a SSL certificate even
    the most «basic») communication change from HTTP to HTTPS.
    The browser shows a «padlock» next to the address.
    With HTTPS we are always sure that:
    The website we are seeing is really the one that the URL in
    the address bar is showing
    All sent and received data is encrypted, so can’t be
    eavesdropped nor can be compromised.

    View Slide

  11. WP Meetup Catania 27 Settembre 2018
    Up until few years ago SSL certificates were for sale, so only who
    handled sensible data (passwords, credit cards...) were bound
    to have them.
    In 2018 for first time the number of websites using HTTPS
    exceeded the number of websites using just HTTP.
    Today a «basic» SSL certicate (DV) can be obtained for free
    thanks to the not-for-profit authority Let’s Encrypt

    View Slide

  12. WP Meetup Catania 27 Settembre 2018
    Considering an SSL certificate is today completely free and
    easy to obtain every website should have one.
    Google Chrome, most popular browser in the world, since 2017
    shows a «Not secure» warning for websites not using HTTPS.

    View Slide

  13. WP Meetup Catania 27 Settembre 2018
    A «basic» certificate (DV), besides allowing encrypted data
    exchange guarantees the authenticity of the domain, in fact
    «DV» stands for «Domain Validation».
    It is true that a missing certificate means missing security, but
    presence of a DV certificate does not mean «full» security.
    Basically, a DV SSL certificate garantees the connection sicurity,
    but do not guarantee anything about the certificate holder.

    View Slide

  14. WP Meetup Catania 27 Settembre 2018
    There are "advanced" SSL certificates that not only guarantee
    the connection security (no more than a DV certificate), but also
    guarantee for the owner of the certificate.
    These are the OV (Organization Validation) and EV (Extended
    Validation) certificates. Those are not for free (quite expensive,
    actually), and the procedure for getting them takes time.
    The browser tell us in case of an EV certificate.

    View Slide

  15. WP Meetup Catania 27 Settembre 2018
    Thanks for listening,
    questions?

    View Slide