Pertemuan #10Secure HTTP (HTTPS)
Kuliah Pengaman Jaringan
The Plain Text HTTP
Consider the following HTTP request passed in clear text:
POST /search HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;)
Gecko/20020606Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 71
credit_card_num=1234567890123456&exp_date=2006-05&name=Chris%20Shiflett
Security For HTTP
We need a technology for HTTP that provides: Server authentication
Clients know they’re talking to the real server Client authentication
Servers know they’re talking to the real client Integrity
Servers & clients are safe from their data being altered Encryption
Clients & servers talk privately without fear of eavesdropping Efficiency
An algorithm fast enough for inexpensive clients and servers to use
Security For HTTP
Ubiquity Protocols are supported by virtually all clients and servers
Administrative scalability Instant secure communication for anyone, anywhere
Adaptibility Supports the best known security methods of the day
HTTPS Overview
Stands for HTTP Secure HTTP sent over secure transport layer (Secure Socket Layer) The most popular secure form of HTTP Pioneered by Netscape Corp. In 1994, Netscape released the spec of Secure Socket Layer By 1995, version 3.0 of SSL was released Supported by all major browsers & servers Dramatically changed the way people used the web The URL will start with https:// instead of http:// Some browser also display iconic security cues
HTTPS Overview
HTTPS Overview
Secure Socket Layer (SSL) provides: Data Integrity
Can help ensure that HTTP data can’t be changed while in transit
Data Confidentiality Provides strong cryptographic techniques used to encrypt HTTP
messages Identification
Can offer reasonable assurance as to the identity of a Web Server
Can also be used to validate the identity of a client, but this is less common
HTTPS Overview
Compared with HTTP in TCP/IP Protocol Stack
Server Port: 80 Server Port: 443
HTTP & HTTPS Transactions
Initiate connection
HTTP & HTTPS Transactions
Exchange data
HTTP & HTTPS Transactions
Terminate connection
SSL Security Parameters Handshake
HTTPS Server Certificate
Site Certificate Validation
SSL doesn’t require you to examine the web server But modern browser do some simple sanity checks on
certificates, the steps are: Date check
Check start/end date, ensure cert is still valid Signer trust check
Cert is signed by well-known trusted Cerfiticate Authority Signature check
Check cert integrity by applying the signing CA’s public key to the signature and comparing it to the checksum
Site identity check Domain name in cert matches with the server they’re talking to
Certificate Authorities CA is used to assure that a particular public key belongs to a particular
person (or domain name, for example: its-sby.edu) CA is a trusted 3rd party that assures
the identity of a public key’s ownerwith a digital certificate
Digital cert is a document declaringa particular pub-key is owned bya particular web site
CA’s role is very similar to a notarywhose responsibility is to ensurethe correct identity ofpeople signing a legal document
Tunnelling Secure Traffic Through Proxies
Corporate firewall proxy
Tunnelling Secure Traffic Through Proxies
Proxy can’t read the encrypted HTTP header, so it won’t know where to forward the request
A few modifications are needed to tell the proxy where to connect
One popular technique is the HTTPS SSL tunnelling protocol
SSL Tunnelling
To allow SSL traffic to flow through proxy firewalls, a tunnelling feature was added to HTTP
Encrypted data is placed inside HTTP messages and sent through normal HTTP channels
SSL TunnellingTunnels let non-HTTP traffic flow through HTTP connections
SSL TunnellingDirect SSL connection vs. tunnelled SSL connection