About Me: I am currently a Computer Science major at San Jose State University.

Monday, December 2, 2013

Communications and Security: HTTPS and you



As the Internet becomes more and more prevalent, many activities that we used to do in person, like shopping, have moved online. According to a Nielsen survey, in 2012, 59 percent of the respondents stated that they now perform most of their shopping online. Whenever I need to get some parts for my computer, books to read, or some games to play, I always choose the internet over brick and mortar stores. Since so many people make their purchases online, there needs to be some sort of way to safely send credit card information to the seller; otherwise some mischievous hacker might grab the information during the transfer. In order to prevent this, a different type of HTTP called HTTPS (not very creative were they?) was implemented, and it uses SSL, and later TLS, to encrypt any sensitive information.


Source
There are a number of steps that happen when a browser wishes to connect to a TLS/SSL secured server. The first step in the handshake is for the user to and the server to exchange some session specific data, like what version of TLS/SSL they are using, some security settings, and the server's digital certificate. With that information in hand, the user attempts to authenticate the server. If the certificate comes back clean, then the transaction proceeds, but if the browser was not able to authenticate the server, the user is notified and asked if they wish to continue on. I really would not recommend continuing for the internet is dark and full of terrors. A key is created by the user, once the server has been verified, and that key is then encrypted via the public key and sent to the server. Once the server acquires that key, the client will then notify the server that all future communications will be encrypted by that key, and then the session can begin. That is a basic look at how your credit card information is safely sent across the series of tubes that we call the Internet. If I missed anything glaring in my explanation, please let me know; network and computer security is not my specialty.

Couple of sites that both provide information about TLS and certificates for servers:

3 comments:

  1. Hey Matthew,
    Interesting post about HTTPS and how it helps keep us secure. I just want to point out one error in your writing where you break a new paragraph in your first and second paragraphs. You probably hit enter by mistake or something. Other than that, this was very informative. I had a general understanding about HTTPS but this cleared some of my questions right up. A very technical but conversational post! It would have been nice if you included what each acronym stood for but that's just a minor gripe. Keep up the good work!

    ReplyDelete
  2. Hi Matthew,
    it is a good post for the introduction of HTTPS. I like reading your blog for that. From the start, you cited a survey to clarify how dispensable the Internet is and thus how important network security is. I think survey the most persuasive way for telling people the truth and that's why I love survey!

    You also give me a very detail introduction about HTTPS and how it works. It was in very clear thought and I am sure you must be very familiar with that. But I was kind of confuse with that and I think it would be better if you have more concreter instance. Anyway it is a good blog. Good job!

    ReplyDelete
  3. Hi Matthew,
    Interesting post on HTTPS and TLS / SSL and how it works. Specially the failure part. If the certificate of a server cannot be verified / authenticated the protocol dictates that the user should be notified and that he should be making an informed decision whether to continue or not. However I feel this is a potential point of failure since a large number of people have no idea how the protocol works and what is actually meant by "authentication failure". Hence these people choose to continue with the connection. Instead the protocol should have just stopped the user from continuing. It would be a little inconvenient in case of genuine hits but in any case it is better to err on the side of caution than getting one's fingers burnt.

    ReplyDelete