HTTP Secure) is a protocol for secure communica?on over a computer network which is widely used on the Internet. HTTPS consists of communica?on over Hypertext Transfer Protocol (HTTP) within a connec?on encrypted by Transport Layer Security or its predecessor, Secure Sockets Layer. hTps:/ /en.wikipedia.org/wiki/HTTPS IV III II I
in such a way that only authorized par?es can read it. Authen>ca>on The process of determining whether someone or something is, in fact, who or what it is declared to be. IV III II I
/ Server Random ( Cipher suite " Cer?ficates 0 Session ID 1 Server key exchange data ClientHello ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone , - DISCLAIMER: This schema is simplified on purpose. IV III II I
/ Server Random ( Cipher suite " Cer?ficates 0 Session ID 1 Server key exchange data ClientHello ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone 1 Client key exchange data ClientKeyExchange , - DISCLAIMER: This schema is simplified on purpose. IV III II I
/ Server Random ( Cipher suite " Cer?ficates 0 Session ID 1 Server key exchange data ClientHello ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone 1 Client key exchange data ClientKeyExchange SYMMETRIC KEY IS GENERATED , - DISCLAIMER: This schema is simplified on purpose. IV III II I
/ Server Random ( Cipher suite " Cer?ficates 0 Session ID 1 Server key exchange data ClientHello ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone 1 Client key exchange data ! Client switches to encryp?on ! MAC of handshake ClientKeyExchange ChangeCipherSpec, Finished SYMMETRIC KEY IS GENERATED , - DISCLAIMER: This schema is simplified on purpose. IV III II I
/ Server Random ( Cipher suite " Cer?ficates 0 Session ID 1 Server key exchange data ClientHello ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone 1 Client key exchange data ! Client switches to encryp?on ! MAC of handshake ClientKeyExchange ChangeCipherSpec, Finished ! Server switches to encryp?on ! MAC of handshake ChangeCipherSpec, Finished SYMMETRIC KEY IS GENERATED , - DISCLAIMER: This schema is simplified on purpose. IV III II I
/ Server Random ( Cipher suite " Cer?ficates 0 Session ID 1 Server key exchange data ClientHello ServerHello, Cer?ficate, ServerKeyExchange, ServerHelloDone 1 Client key exchange data ! Client switches to encryp?on ! MAC of handshake ClientKeyExchange ChangeCipherSpec, Finished ! Server switches to encryp?on ! MAC of handshake ChangeCipherSpec, Finished SYMMETRIC KEY IS GENERATED 2 Applica?on data 2 Applica?on data , - DISCLAIMER: This schema is simplified on purpose. IV III II I
cryptographic primi0ves. Each primi?ve is designed with a par?cular useful func?onality in mind. The primi?ves alone are not very useful, but we can combine them into schemes and protocols to provide robust security. For example, we might use one primi?ve for hashing, one for encryp>on and another for integrity checking. IV III II I
• Issued and signed by a publicly trusted Cer?fica?on Authority • Suitable for produc?on environments as well for tes?ng • Generally not free • Provides encryp?on • Doesn't provide authen?ca?on • self-signed • Generally used for tes?ng • Free
list of trusted cer?ficates • These cer?ficates are called root cer'ficates, and they generally belong to trusted par?es, such as cer?ficate authori?es IV III II I
cer?ficate that was used to sign the current cer?ficate • The cer?ficate matches a root cer?ficate • The original cer>ficate is trusted :) • The en?re cer>ficate chain is trusted 3 IV III II I
cer?ficate that was used to sign the current cer?ficate • The cer?ficate doesn't match a root cer?ficate, and there are no more cer?ficates • The original cer>ficate is untrusted :( • The en?re cer>ficate chain is untrusted 4 IV III II I
Cer?ficate Signing Request (CSR) $ openssl req -nodes -new -key private.key -out server.csr ... Country Name (2 letter code) [AU]:US Common Name (eg, YOUR name) []:www.example.com ... IV III II I
Cer?ficate Signing Request (CSR) for a self-signed cer?ficate Sign the cer?ficate $ openssl x509 -req -days 365 -in server.csr -signkey private.key -out certificate.pem hTps:/ /devcenter.heroku.com/ar?cles/ssl-cer?ficate-self IV III II I
a Cer?ficate Signing Request (CSR) for a trusted cer?ficate Request the Cer?ficate (*) Request generally means purchase. You can purchase an SSL cer?ficate either from a CA, or a reseller. Some providers offer visual tools that help you with the request process (e.g. by genera?ng the CSR) (*) IV III II I
a Cer?ficate Signing Request (CSR) for a trusted cer?ficate Request the Cer?ficate (*) • Select the cer?ficate type • Submit the CSR • Validate the request • Obtain the cer?ficate (*) IV III II I
(OV) Organiza?on Validated asserts control of a domain as well basic organiza?onal vepng ! (EV) Extended Valida?on asserts control of a domain as well extended organiza?onal vepng Cer>ficate Types IV III II I
key, and intermediate cer?ficate chain. Configure HTTPS configure protocol version, cypher suite and cypher sepngs. To deploy HTTPS you need to: IV III II I
v1 ($20/mo) $ heroku certs:add server.crt server.key Adding SSL Endpoint to example... done example now served by example-2121.herokussl.com. Certificate details: Expires At: 2012-10-31 21:53:18 GMT Issuer: C=US; ST=CA; L=SF; O=Heroku; CN=www.example.com Starts At: 2011-11-01 21:53:18 GMT hTps:/ /devcenter.heroku.com/ar?cles/ssl-endpoint hTps:/ /devcenter.heroku.com/ar?cles/ssl-cer?ficate-dnsimple IV III II I
HTTPS and it returns the Strict-Transport- Security header, the browser records this informa?on, so that future aTempts to load the site using HTTP will automa?cally use HTTPS instead. When the expira?on ?me specified by the Strict-Transport-Security header elapses, the next aTempt to load the site via HTTP will proceed as normal instead of automa?cally using HTTPS. Strict-Transport-Security: max-age=31536000 Strict-Transport-Security: max-age=31536000; includeSubDomains Strict-Transport-Security: max-age=31536000; includeSubDomains; preload IV III II I
HTTPS and it returns the Strict-Transport- Security header, the browser records this informa?on, so that future aTempts to load the site using HTTP will automa?cally use HTTPS instead. When the expira?on ?me specified by the Strict-Transport-Security header elapses, the next aTempt to load the site via HTTP will proceed as normal instead of automa?cally using HTTPS. Strict-Transport-Security: max-age=31536000 Strict-Transport-Security: max-age=31536000; includeSubDomains Strict-Transport-Security: max-age=31536000; includeSubDomains; preload IV III II I
report-uri="reportURI"] Public-Key-Pins: max-age=5184000; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg=" IV III II I