Scribd Logo
Upload

Welcome to Scribd!

  • 140 views

    Secure Socket Layer (SSL) : Divey Gupta Sunny Gajjar B.Tech-IV Computer Engg. NIT-Surat

    Uploaded by

    Sunny Kishorbhai Gajjar
    This document discusses Secure Sockets Layer (SSL) and Hypertext Transfer Protocol Secure (HTTPS). It provides a brief history of SSL and TLS, explaining how SSL encrypts network connections at the application layer. It describes how SSL certificates work using public/private key encryption. It also summarizes how to set up HTTPS using OpenSSL to generate a self-signed certificate for a website. Some limitations of SSL are noted, such as only providing point-to-point security rather than end-to-end. Problems with HTTPS like invalid certificates and mixed content are also outlined.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd

    Secure Socket Layer (SSL) : Divey Gupta Sunny Gajjar B.Tech-IV Computer Engg. NIT-Surat

    Uploaded by

    Sunny Kishorbhai Gajjar
    140 views22 pages
    This document discusses Secure Sockets Layer (SSL) and Hypertext Transfer Protocol Secure (HTTPS). It provides a brief history of SSL and TLS, explaining how SSL encrypts network connections at the application layer. It describes how SSL certificates work using public/private key encryption. It also summarizes how to set up HTTPS using OpenSSL to generate a self-signed certificate for a website. Some limitations of SSL are noted, such as only providing point-to-point security rather than end-to-end. Problems with HTTPS like invalid certificates and mixed content are also outlined.

    Original Title

    Secure Socket Ssl

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document discusses Secure Sockets Layer (SSL) and Hypertext Transfer Protocol Secure (HTTPS). It provides a brief history of SSL and TLS, explaining how SSL encrypts network connections at the application layer. It describes how SSL certificates work using public/private key encryption. It also summarizes how to set up HTTPS using OpenSSL to generate a self-signed certificate for a website. Some limitations of SSL are noted, such as only providing point-to-point security rather than end-to-end. Problems with HTTPS like invalid certificates and mixed content are also outlined.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    140 views22 pages

    Secure Socket Layer (SSL) : Divey Gupta Sunny Gajjar B.Tech-IV Computer Engg. NIT-Surat

    Uploaded by

    Sunny Kishorbhai Gajjar
    This document discusses Secure Sockets Layer (SSL) and Hypertext Transfer Protocol Secure (HTTPS). It provides a brief history of SSL and TLS, explaining how SSL encrypts network connections at the application layer. It describes how SSL certificates work using public/private key encryption. It also summarizes how to set up HTTPS using OpenSSL to generate a self-signed certificate for a website. Some limitations of SSL are noted, such as only providing point-to-point security rather than end-to-end. Problems with HTTPS like invalid certificates and mixed content are also outlined.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    You are on page 1of 22

    SECURE SOCKET LAYER(SSL)

    &
    HTTPS

    Divey Gupta
    Sunny Gajjar
    B.Tech-IV
    Computer Engg.
    NIT-Surat
    SSL???
     TLS & SSL are cryptographic protocols for
    providing secure communication.

     Work on Application Layer of OSI Model

     SSL encrypt the segments of network


    connections at the Application Layer to ensure
    secure end-to-end transit at the Transport
    Layer
    HISTORY
     Originally developed by Netscape

     SSL ver. are 1,2 & 3

     TLS 1.0 and TLS 1.1

     Latest standard used :TLS 1.2


    NEED OF SSL??
     you have an online store or accept online
    orders and credit cards
     you offer a login or sign in on your site
     you process sensitive data such as address,
    birth date, license, or ID numbers
     you need to comply with privacy and security
    requirements
     you value privacy and expect others to trust
    you
    How does it work??
    • What Happens When a Web Browser Connects to a Secure Web Site
    A browser attempts to connect to a Web site secured with SSL.
    HOW DOES SSL ENCRYPTION WORK?
     Web servers and Web browsers rely on the Secure Sockets
    Layer (SSL) protocol to create a uniquely encrypted channel
    for private communications over the public Internet.

     Each SSL Certificate consists of a public key and a private key.


    The public key is used to encrypt information and the private
    key is used to decipher it.

     When a Web browser points to a secured domain, a level of


    encryption is established based on the type of SSL Certificate
    as well as the client Web browser, operating system and host
    server’s capabilities. That is why SSL Certificates feature a
    range of encryption levels such as "up to 256-bit".
    Security Issues
     Privacy: Messages encrypted using conventional
    cryptography with shared key
    eg: 3DES,RC2 etc

     Key Exchange: Public key encryption


    eg: RSA or Diffie-Hellman

     Integrity: Message Authentication Code(MAC)


    eg: MD5, SHA1

     Authentication
    HOW DO I KNOW THAT A SITE HAS A
    VALID SSL CERTIFICATE?
    Certificate Authority(CA)
     A CA issues digital certificates that contain
    a public key and the identity of the owner.

     In essence, the CA is responsible for saying "yes,


    this person is who they say they are, and we, the
    CA, verify that".

     Providers: VeriSign and its acquisitions (which


    include Thawte and Geotrust) have a 47.5% share
    of the certificate authority market, followed
    by GoDaddy (23.4%), and Comodo (15.44%).
    Latest Developments
     Extended Validation (EV) SSL:EV SSL requires
    a rigorous process of Web site
    authentication and is considered the “gold
    standard” in the e-commerce industry for
    authenticating the legitimate identity of a
    Web site.
     For combating increased phishing attacks
    LIMITATIONS
     SSL is designed to provide point-to-point security. Incase of multiple
    intermediary nodes exist between the two endpoints, point-to-
    point security fails and end-to-end security is required
    – Web Service Scenario: SOAP messages route through multiple
    intermediary nodes, those intermediary nodes will not be able to
    participate to operations

     SSL encryption is at the transport level rather than at the


    application.
    – Messages are encrypted only during transmission over network
    – Other security mechanisms are required to handle security of
    the messages in an application or disk
    HTTPS??
     HTTPS (HTTP over SSL or HTTP Secure) is the
    use of SSL or TLS as a sublayer under regular
    HTTP application layering.

     HTTPS connections are often used for


    payment transactions.
    DIFF BETWEEN HTTP & HTTPS
     HTTP is a protocol for information to be
    passed back and forth between web servers
    and clients. It uses port 80.

     HTTPS-It's all about keeping you secure. It


    uses port 443.
    HOW DOES SHTTP DIFFERS FROM
    HTTPS
     SHTTP is an alternative to the HTTPS URI
    scheme for encrypting web communications
    carried over HTTP. SHTTP authenticates a
    user.

     SHTTP & HTTPS were both defined in 1990’s


    but NETSCAPE and MICROSOFT supported
    HTTPS. HTTPS authenticates a server.
    Problems with HTTPS and the Lock
    Icon
    1. Upgrade from HTTP to HTTPS

    2. Semantic attacks on certificates

    3. Invalid certificates

    4. Mixed content
    -HTTP and HTTPS on the same page
    HTTP → HTTPS upgrade
    Man in the middle attack using
    invalid certificates
    HOW TO TRUST AN HTTPS CONN.
     If the user trusts that its browser software correctly
    implements HTTPS with correctly pre-installed certificate
    authorities.
     If the user trusts the certificate authority to vouch only for
    legitimate websites without misleading names.
     If the website provides a valid certificate (an invalid
    certificate shows a warning in most browsers), which means
    it was signed by a trusted authority.
     If the certificate correctly identifies the website (e.g. visiting
    https://example and receiving a certificate for "Example
    Inc." and not anything else)
     If either the intervening hops on the Internet are
    trustworthy, or the user trusts the protocol's encryption
    layer (TLS or SSL) is unbreakable by an eavesdropper.
    Why is HTTPS not used for all web
    traffic?
     Slows down web servers

     Breaks Internet caching


    -ISPs cannot cache HTTPS traffic
    -Results in increased traffic at web site

     Incompatible with virtual hosting (older


    browsers)
    HOW TO CREATE HTTPS WITH
    OpenSSL
    1. Generate a RSA private key
    openssl genrsa -des3 -out server.key 1024

    2. Generate a CSR (Certificate Signing Request)


    openssl req -new -key server.key -out server.csr

    3. Generating a Self-Signed Certificate


    openssl x509 -req -days 365 -in server.csr -signkey server.key –out
    server.crt

    4. Installing the Private Key and Certificate


    cp server.crt /usr/local/apache/conf/ssl.crt
    cp server.key /usr/local/apache/conf/ssl.key
    Questions?

    You might also like