As the Internet becomes more and more prevalent, many activities
that we used to do in person, like shopping, have moved online. According to a
Nielsen survey, in 2012, 59 percent of the respondents stated that they now
perform most of their shopping online. Whenever I need to get some parts for my
computer, books to read, or some games to play, I always choose the internet
over brick and mortar stores. Since so many people make their purchases online,
there needs to be some sort of way to safely send credit card information to
the seller; otherwise some mischievous hacker might grab the information during
the transfer. In order to prevent this, a different type of HTTP called HTTPS (not
very creative were they?) was implemented, and it uses SSL, and later TLS, to
encrypt any sensitive information.
There are a number of steps that happen when a browser
wishes to connect to a TLS/SSL secured server. The first step in the handshake
is for the user to and the server to exchange some session specific data, like
what version of TLS/SSL they are using, some security settings, and the
server's digital certificate. With that information in hand, the user attempts
to authenticate the server. If the certificate comes back clean, then the
transaction proceeds, but if the browser was not able to authenticate the
server, the user is notified and asked if they wish to continue on. I really
would not recommend continuing for the internet is dark and full of terrors. A
key is created by the user, once the server has been verified, and that key is
then encrypted via the public key and sent to the server. Once the server
acquires that key, the client will then notify the server that all future
communications will be encrypted by that key, and then the session can begin.
That is a basic look at how your credit card information is safely sent across
the series of tubes that we call the Internet. If I missed anything glaring in
my explanation, please let me know; network and computer security is not my
specialty.
Couple of sites that both provide information about TLS and
certificates for servers:
Hey Matthew,
ReplyDeleteInteresting post about HTTPS and how it helps keep us secure. I just want to point out one error in your writing where you break a new paragraph in your first and second paragraphs. You probably hit enter by mistake or something. Other than that, this was very informative. I had a general understanding about HTTPS but this cleared some of my questions right up. A very technical but conversational post! It would have been nice if you included what each acronym stood for but that's just a minor gripe. Keep up the good work!
Hi Matthew,
ReplyDeleteit is a good post for the introduction of HTTPS. I like reading your blog for that. From the start, you cited a survey to clarify how dispensable the Internet is and thus how important network security is. I think survey the most persuasive way for telling people the truth and that's why I love survey!
You also give me a very detail introduction about HTTPS and how it works. It was in very clear thought and I am sure you must be very familiar with that. But I was kind of confuse with that and I think it would be better if you have more concreter instance. Anyway it is a good blog. Good job!
Hi Matthew,
ReplyDeleteInteresting post on HTTPS and TLS / SSL and how it works. Specially the failure part. If the certificate of a server cannot be verified / authenticated the protocol dictates that the user should be notified and that he should be making an informed decision whether to continue or not. However I feel this is a potential point of failure since a large number of people have no idea how the protocol works and what is actually meant by "authentication failure". Hence these people choose to continue with the connection. Instead the protocol should have just stopped the user from continuing. It would be a little inconvenient in case of genuine hits but in any case it is better to err on the side of caution than getting one's fingers burnt.