Saturday, 11 March 2017

Is HTTPS Really Secure? (Part 1)








HTTPS, or also known as Secure HTTP or HTTP over SSL, HTTP over TLS is a protocol that is considered more secure protocol than regular HTTP Web. It's called "security" but is it really enough security as we thought, or not? In this article, we will learn more about HTTPS and how its security is.


Why do we need HTTPS?

Currently, Google has added the criteria to evaluate HTTPS Web pages. However, it's not always we need HTTPS. We just need them when need secure information only.

Why do we secure information?

During the war, a lot of military information, intelligence information only for some people, others, especially the enemy mustn't know. However, for various reasons, the transmission of information isn't sent directly from the sender to the recipient, but through a certain number of intermediaries. So that the information is easily leaked. For example, the method of communication by telegraph easily captured and eavesdropping

So, people use many different methods to encode to send the information, to ensure that, except for people who need to receive, others hear but don't understand. If you ever see the movie Windtalkers, then you can understand the importance of encryption in war.

Similarly, on the Internet today there are many types of attacks such eavesdropping. One common form is called eavesdrop, in addition to a more powerful type of attack known as Man in the Middle (MITM). However, the contents of this article will not go into details of that attack, maybe I'll come back in the next article. What I want to say here is what we do on the Internet is never literally privacy at all.

 Big Brother is watching you

The Internet is a lot of computer connections, a packet from the sender before the recipient will have to go through a lot of different intermediate machine. No one can prevent those who seek to tamper with our packet along the way. Even the mechanism of the Internet allows eavesdropping takes place very easily. If you don't believe, you can install Wireshark try and see how the network you are using with the bustling activity like.

What we do on the Internet has a lot of things other people know it doesn't matter. But there are many things we do not want anyone to know. And a very justifiable needs of humans is hiding something could be called "secrets" that from the prying eyes of those around him. Because snooping packets is took place very ordinarily, so we need encryption methods to ensure that the packet that we sent just us and the recipients understand. All those who snooping on the road though read nor understand anything.

That's why we need HTTPS Web, HTTPS encryption will help us to process transactions on the Web server and browser. Additionally, HTTPS has some other effects, such as authenticate servers (avoid phishing), etc ...

How does HTTPS secure transaction?

When the browser access Web pages use HTTPS, the browser, and server to establish an SSL connection using SSL Handshake Protocol. The process of establishing a connection is completely seamlessly with users, ordinary users don't need to care about it.

To establish an SSL connection, there are 3 keys used: public key, private key and the session key. Public and private keys form a pair: everything needs to be encrypted using public key encryption and decryption with private key. Session key is the key used in the symmetric encryption method, it is used for both the encryption and decryption.

 If you don't fully understand the methods of public key encryption and symmetric code, maybe you should find out about them before we continue.

Using public key encryption is costly, it is only used at the time to establish a connection, after the connection is established, symmetric encryption is used (with the session key lock). The entire process takes place as follows:

  • The browser connects to the server using HTTPS.
  • The server returns an SSL certificate, which contains the public key used to encrypt.
  • The browser checks the certificate (this process we will learn in the next section). If everything is OK, session key randomly generated and sent to the server (the data is encrypted using the public key).
  • The server decrypts using private key obtained session key packet, send feedback received a key to the browser.
  • From here onwards, the server and the browser to send and receive packets are encrypted with session key.

SSL certificate

SSL is certificate used to establish a connection between the browser and the server. Technically SSL certificate files are relatively small in size, including information about the public key stored along with other information on the organization's Web site owners.

Some information is stored in the SSL certificate:

  • Domain name server, hostname
  • Company name, organization, contact
  • Expiry date
  • Public key

However, this certification can be completely counterfeited. Like we wrote the resumé, how to know we've written the real information? We need to be certified by the local government. SSL also similarly, to ensure this certificate is not fake, we need to Certificate Authority.

Certificate Authority (CA) can confirm that the certificate is genuine, they will use electronic signatures with their own private key. CA will act as notaries have been granted a license, their signatures are trusted and certified their certificate can be considered valid.

Often, CA will sell certificate and they will confirm that they granted the paperwork. So often we have to buy SSL certificate with a very high price tag. In fact, the value of the SSL certificate itself not only in the certificate, which includes the small part of the seller price brands.

Actually, the signature of the CA will also need to be authenticated. Like we check the signature of the notary so. The CA certificate will be certified by the higher-level CA, and the process is a recursive process as follows:


Each certificate shall be certified by the higher certificate level, and the highest level is called Root CA certificate. Root CA certificate is an SSL certificate, but it is used for authentication and electronic signature attached to the certificates are sold to commercial users. The root certificate is usually pre-installed on the browser and the browser receives the certificate from certain websites, it will use root certificate to check the certificate received is valid or not.

Through the authentication process, when using HTTPS, we aren't simply encoding the information, but we also get the authentication and is working with the person that we want.
Because the process of authentication, encryption, and decryption are complex as above, so HTTPS is time-consuming to process than HTTP. In many cases, HTTPS isn't necessary, many large e-news such as CNN, the BBC don't use HTTPS for their web sites, simply because it is the news page, no sensitive information. So the quick response is more important.

It's quite a long article so I will separate it into 2 parts. In next article, we will figure out whether HTTPS is secure or not!

No comments:

Post a Comment