ch14: Secure HTTP

1. Making HTTP Safe

We need a technology for HTTP security that provides:

  • Server authentication (clients know they're talking to the real server, not a phony)

  • Client authentication (servers know they're talking to the real user, not a phony)

  • Integrity (clients and servers are safe from their data being changed)

  • Encryption (clients and servers talk privately without fear of eavesdropping)

  • Efficiency (an algorithm fast enough for inexpensive clients and servers to use)

  • Ubiquity (protocols are supported by virtually all clients and servers)

  • Administrative scalability (instant secure communication for anyone, anywhere)

  • Adaptability (supports the best known security methods of the day)

  • Social viability (meets the cultural and political needs of the society)

1.1 HTTPS

2. HTTPS: The Details

2.1 HTTPS Schemes

2.2 Secure Transport Setup

2.3 SSL Handshake

2.4 Server Certificates

The server certificate is an X.509 v3derived certificate.

2.5 Site Certificate Validation

The steps are:

2.5.1 Date check

The browser checks the certificate's start and end dates to ensure the certificate is still valid.

2.5.2 Signer trust check

Every certificate is signed by some certificate authority (CA).

Browsers ship with a list of signing authorities that are trusted.

If a browser receives a certificate signed by some unknown authority, the browser usually displays a warning.

2.5.3 Signature check

The browser check the certificate's integrity by applying the signing authority's public key to the signature and comparing it to the checksum.

2.5.4 Site identity check

To prevent a server from copying someone else's certificate or intercepting their traffic, most browsers try to verify that the domain name in the certificate matches the domain name of the server they takled to.

3. Tunneling Secure Traffic Through Proxies

Once the client starts encrypting the data to the server, using the server's public key, the proxy no longer has the ability to read the HTTP header. And it won't know where to forward the request.

Use HTTPS tunneling protocol.

The client first tells the proxy the secure host and port to which it wants to connect.

And the client can transfer SSL data.

Previousch13: Digest AuthenticationNextch15: Entities and Encodings

Last updated