A brief introduction to HTTPS

A brief introduction to HTTPS Thierry Sans

Today, we are going to

Today, we are going to 1. understand HTTP

Today, we are going to 1. understand HTTP 2. break
HTTP

HTTP 3. secure HTTP with HTTPS

HTTP 3. secure HTTP with HTTPS 4. go beyond HTTPS

1. Understanding HTTP

HTTP - Hypertext Transfer Protocol Web Server Web Browser

HTTP - Hypertext Transfer Protocol Web Server Web Browser HTTP
request

HTTP - Hypertext Transfer Protocol Web Server Web Browser HTTP
request HTTP response

HTTP Authentication

HTTP Authentication login: [email protected]  password: pass4example

HTTP Authentication login: [email protected]  password: pass4example SID:scACRSm…

HTTP Authentication session login: [email protected]  password: pass4example SID:scACRSm…

The concept of session The session id (a.k.a authentication token)
is • unique and unforgeable (usually a long random string) • sent back and forth between the web browser and the web server in the cookie • bound to user’s data on the server

2. Breaking HTTP

How to steal user’s credentials ➡ Brute force the user’s
password or session ID

How to steal user’s credentials ➡ Brute force the user’s
password or session ID ➡ Steal the user’s password or session ID

Do you trust the network?

Do you trust the network? interesting!

Do you trust the network? ๏ Threat 1 : an
attacker can eavesdrop messages sent back and forth interesting!

Do you really trust the network? example.com

Do you really trust the network? I am example.com! example.com

Do you really trust the network? ๏ Threat 2 :
an attacker can tamper with messages sent back and forth I am example.com! example.com

Conﬁdentiality and Integrity

Conﬁdentiality and Integrity ๏ Threat 1 : an attacker can
eavesdrop messages sent back and forth

eavesdrop messages sent back and forth Conﬁdentiality: how do exchange information secretly?

eavesdrop messages sent back and forth Conﬁdentiality: how do exchange information secretly? ๏ Threat 2 : an attacker can tamper messages sent back and forth

eavesdrop messages sent back and forth Conﬁdentiality: how do exchange information secretly? ๏ Threat 2 : an attacker can tamper messages sent back and forth Integrity: How do we exchange information reliably?

3. Securing HTTP with HTTPS

Generic solution - HTTPS ✓ HTTPS = HTTP + TLS
➡ Transport Layer Security (TLS previously known as SSL) provides • conﬁdentiality: end-to-end secure channel • integrity: authentication handshake 

Generating and using (self-signed) certiﬁcates

Generating and using (self-signed) certiﬁcates who are you?

Generating and using (self-signed) certiﬁcates who are you? I am
example.com

Self-signed certiﬁcates  are not trusted by  your browser

Signed Certiﬁcate Certiﬁcate Authority (CA)

Signed Certiﬁcate who are you? Certiﬁcate Authority (CA)

Signed Certiﬁcate who are you? Certiﬁcate Authority (CA) I am
example.com

Your browser trusts many CAs by default

Real attacks

4. Beyond HTTPS

Why and when using HTTPS? HTTPS = HTTP + TLS
➡ TLS provides • conﬁdentiality: end-to-end secure channel • integrity: authentication handshake  ➡ HTTPS protects any data send back and forth including: • login and password • session ID ✓ HTTPS everywhere   HTTPS must be used during the entire session

Limitation of HTTPS

Beyond this lecture 15-349 Introduction to Computer and Network Security
• symmetric and asymmetric crypto-systems • the TLS protocol • network and host-based threat, vulnerabilities, attacks   and counter-measures 15-437 Web Application Development • the HTTP protocol • how to deploy your web application over HTTPS • web-based threats, vulnerabilities, attacks and counter-measures

A brief introduction to HTTPS

A brief introduction to HTTPS

More Decks by ThierrySans

Featured

Transcript