Believe it or not the web did not exist till about 1993. A few years later (about 1995) the commercialization of the Internet began. Web browsers allow us to access information in a quick, easy and universal method. The protocol of the web is called “HTTP” Hypertext Transfer Protocol, which transfers HTML documents as well as other file formats. | Security+ All-In-One Edition Chapter 15 – Web Components Brian E. Brzezicki Web Components (443) Believe it or not the web did not exist till about 1993. A few years later (about 1995) the commercialization of the Internet began. Web browsers allow us to access information in a quick, easy and universal method. The protocol of the web is called “HTTP” Hypertext Transfer Protocol, which transfers HTML documents as well as other file formats. HTTP HTTP (TCP port 80) is the protocol for web communications Unfortunately there are 2 problems with HTTP. No Encryption No Authentication of remote server There are many useful web applications for example online banking. Can anyone see why the top 2 issues are VERY problematic? Enter SSL/TLS (445) SSL and TLS are a form of securing network communications. They provide 2 important concepts. Server Authentication Encryption SSL/TLS protected traffic is called HTTPS and runs at TCP port 443 How does SSL work (447) Client sends SSL version and . | Security+ All-In-One Edition Chapter 15 – Web Components Brian E. Brzezicki Web Components (443) Believe it or not the web did not exist till about 1993. A few years later (about 1995) the commercialization of the Internet began. Web browsers allow us to access information in a quick, easy and universal method. The protocol of the web is called “HTTP” Hypertext Transfer Protocol, which transfers HTML documents as well as other file formats. HTTP HTTP (TCP port 80) is the protocol for web communications Unfortunately there are 2 problems with HTTP. No Encryption No Authentication of remote server There are many useful web applications for example online banking. Can anyone see why the top 2 issues are VERY problematic? Enter SSL/TLS (445) SSL and TLS are a form of securing network communications. They provide 2 important concepts. Server Authentication Encryption SSL/TLS protected traffic is called HTTPS and runs at TCP port 443 How does SSL work (447) Client sends SSL version and cipher settings Server responds, including it’s digital certificate Client verifies the server is who it says it is (NOTE DISCUSS HOW) Client encrypts a seed value with the servers public key Server decrypts seed value and uses it to generate a master key Client and server use seed value to generate a master key, which will be used to encrypt the sessions traffic SSL Once this handshake is completed we have verified that the server is who he says he is AND we have exchanged keys for symmetric encryption. This “handshake” is the CPU intensive part of SSL communications NOT the actually encryption. Digital Certificates Let’s take a quick look around a HTTPS connection. Go to using Firefox Click on the yellow lock, view certificate What are some of the fields you see here? Click on “Details” and Look at the Certificate Hierarchy What is this all about? (more) Digital Certificates Go to a site with a bad digital certificate What happens? Have you ever seen errors like