Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How I learned to understand HTTPS

How I learned to understand HTTPS

HTTPS explained easy way, suitable for non technical audience.

Giuseppe Mazzapica

September 27, 2018
Tweet

More Decks by Giuseppe Mazzapica

Other Decks in Technology

Transcript

  1. WP Meetup Catania 27 Settembre 2018
    How I
    to
    learned
    understand
    HTTPS

    View full-size slide

  2. WP Meetup Catania 27 Settembre 2018
    Giuseppe Mazzapica
    WordPress Engineer at Inpsyde
    Open Source Lover & Maintainer
    WordPress Stack Exchange Moderator
    WordCamp Speaker
    @gmazzap gmazzap.me

    View full-size slide

  3. WP Meetup Catania 27 Settembre 2018
    Servers are computers.
    Internet is not made of clouds,
    but it is made of servers
    Computers «talk» each
    other, in many different ways.

    View full-size slide

  4. WP Meetup Catania 27 Settembre 2018
    Various «languages» used by computers are called «protocols».
    Computers use different protocols for different purposes.
    The protocol used to «exchange» web pages data is
    HTTP: HyperText Transfer Protocol
    GET /awesome-cat.png
    Host: emergencykittens.tumblr.com
    200 OK
    Content-Length: 120321
    Content-Type: image/png
    Kg£™ä€´øîÙƺo{›ùêxãøönÊ"w¤ ¢\9’wyŒ@ÉP úÔÀ|ðó¦–× ¢\9’wyŒ@
    1o:ÓËÉ#÷.‹@ô1ÀàÅtlD 2N`+0;HA®þOÇÝÊ@$#W&Y—ÀOà@˜
    ¦²‹ úÔÀ úÔÀ
    É1¼^„«&óÀÌËÐKÅqƺo{›ùêxãøönÊ"w¤ ¢\9’wy úÔÀ úÔÀ úÔÀÙƺo{›

    View full-size slide

  5. WP Meetup Catania 27 Settembre 2018
    Communications among computers, are not that different from
    phone communications among humans: there is always the
    chance someone (more or less ill-intentioned) is listening...

    View full-size slide

  6. WP Meetup Catania 27 Settembre 2018
    The oldest way to defend ourself from anyone «eavesdropping»
    is to «speak in code».
    Modern cryptography used by computers
    is asymmetric: the encryption key and
    the decryption key are two different keys.

    View full-size slide

  7. WP Meetup Catania 27 Settembre 2018
    private key
    public key
    The sender knows
    only the public key and
    uses it for the encryption
    Original Data Encrypted Data Decrypted Data
    (same as original)
    Asymmetric
    Cryptography
    The keys «couple» is
    generated by the recipient

    View full-size slide

  8. WP Meetup Catania 27 Settembre 2018
    For asymmetric cryptography, who sends the message has
    to know the public key of the recipient.
    When computers communicate via HTTP, the public key of
    dei server è resa nota tramite un certificato.
    The cryptographic protol used to encrypt HTTP coomuncation
    is TSL, that is the successor of SSL, and certicates connecting
    a domain with a public key, enabling the encrypted
    communication, are often called «SSL certificates»

    View full-size slide

  9. WP Meetup Catania 27 Settembre 2018
    How I learned to understand...
    When HTTP communications are encrypted, thanks to an
    SSL certificate, we talk about HTTPS: that basically is a more
    «secure» variant of HTTP thanks to TSL encryption.

    View full-size slide

  10. WP Meetup Catania 27 Settembre 2018
    When we connect to a server which has a SSL certificate even
    the most «basic») communication change from HTTP to HTTPS.
    The browser shows a «padlock» next to the address.
    With HTTPS we are always sure that:
    The website we are seeing is really the one that the URL in
    the address bar is showing
    All sent and received data is encrypted, so can’t be
    eavesdropped nor can be compromised.

    View full-size slide

  11. WP Meetup Catania 27 Settembre 2018
    Up until few years ago SSL certificates were for sale, so only who
    handled sensible data (passwords, credit cards...) were bound
    to have them.
    In 2018 for first time the number of websites using HTTPS
    exceeded the number of websites using just HTTP.
    Today a «basic» SSL certicate (DV) can be obtained for free
    thanks to the not-for-profit authority Let’s Encrypt

    View full-size slide

  12. WP Meetup Catania 27 Settembre 2018
    Considering an SSL certificate is today completely free and
    easy to obtain every website should have one.
    Google Chrome, most popular browser in the world, since 2017
    shows a «Not secure» warning for websites not using HTTPS.

    View full-size slide

  13. WP Meetup Catania 27 Settembre 2018
    A «basic» certificate (DV), besides allowing encrypted data
    exchange guarantees the authenticity of the domain, in fact
    «DV» stands for «Domain Validation».
    It is true that a missing certificate means missing security, but
    presence of a DV certificate does not mean «full» security.
    Basically, a DV SSL certificate garantees the connection sicurity,
    but do not guarantee anything about the certificate holder.

    View full-size slide

  14. WP Meetup Catania 27 Settembre 2018
    There are "advanced" SSL certificates that not only guarantee
    the connection security (no more than a DV certificate), but also
    guarantee for the owner of the certificate.
    These are the OV (Organization Validation) and EV (Extended
    Validation) certificates. Those are not for free (quite expensive,
    actually), and the procedure for getting them takes time.
    The browser tell us in case of an EV certificate.

    View full-size slide

  15. WP Meetup Catania 27 Settembre 2018
    Thanks for listening,
    questions?

    View full-size slide