HTTP Secure
Introduction
“Hypertext Transfer Protocol Secure (HTTPS)
is a widely used communications
protocol for secure communication over a computer network, with especially wide deployment on the Internet.”[1]
HTTPS is an extension of the existing HTTP protocol combined with SSL/TLS protocols for adding security to Web communications. It was created by Netscape Communications for its Netscape Navigator web browser. The RFC document states the origin of the currently used protocol from back to 2000.[2] HTTP alone was and is too insecure and is vulnerable to man-in-the-middle and eavesdropping attacks, therefore access to website accounts and sensitive information can take place. HTTPS was designed to provide security against such attacks. It brought a lot of new enhancements of security in comparison to HTTP. It can give extra independent security measures, authentication, confidentiality and integrity in web transactions. This new protocol is flexible in using cryptography, key management and security policies. It is very common today and widely used.
The Record Protocol works at a lower level in the transport layer. It can be layered amongst a
TLS also aims to achieve interoperability, extensibility and efficiency.
Interoperability for enabling programmers to develop applications without knowing one another’s code. Extensibility to avoid the need of creating a new security library when developing a new protocol. Finally TLS tries to improve efficiency and speed. All this cryptographic and key exchanging mechanisms make use of a lot of resources and CPU power. By using a caching memory, it tries to remember some connections so that it could avoid re-establishing those all over from the start.[4]
The Record Protocol works at a lower level in the transport layer. It can be layered amongst a
TLS also aims to achieve interoperability, extensibility and efficiency.
Interoperability for enabling programmers to develop applications without knowing one another’s code. Extensibility to avoid the need of creating a new security library when developing a new protocol. Finally TLS tries to improve efficiency and speed. All this cryptographic and key exchanging mechanisms make use of a lot of resources and CPU power. By using a caching memory, it tries to remember some connections so that it could avoid re-establishing those all over from the start.[4]
Differences between HTTP and HTTPS
The most obvious and well known difference amongst all users
is that HTTP transactions begin with a “http://”
URL and HTTPS with a “https://” one. HTTP uses port 80 and HTTPS port 443. HTTPS works by transmitting
normal HTTP packets through an encrypted system, so that the information cannot
be intercepted by a third party other than the client and server.
In
case you are accessing sensitive sites like your banking account or email, many
websites offer an HTTPS connection to make sure no one can directly eavesdrop
on your data. The HTTPS security protocol
operates at a lower layer, the one of data transmission, rather than HTTP which
operates in the highest one, the Application layer. The new protocol achieves
higher security by using techniques such as Signature/Certificate validation, key
exchanging, encryption and Message integrity.
SSL/TLS protocols
“Several
versions of the protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP
(VoIP).”[3]
SSL
stands for Secure Sockets Layer.
SSL
is an Internet security protocol mainly used by
web applications such as Internet browsers and Web servers to transmit sensitive information via
public-key encryption. Originally HTTPS was used over SSL protocol, but later SSL
was merged with TLS to form a new standard, and nowadays the protocol uses also
TLS’s security.
SSL comes in two options, simple and
mutual.
The mutual version is more secure, but
requires users to install a personal certification scheme in their browser in
order to authenticate themselves. Whatever option is used, the level of
protection is mostly up to the application used, the web browser’s and server
software. Both of them should support cryptographic algorithms in order to totally exploit SSL’s
capabilities.
In mutual authentication, the
session is managed by the first server that establishes the connection. With
mutual SSL or TLS, security reaches its maximum capabilities, but on the
client-side, there is no way to properly terminate the SSL connection except by
closing all related client applications or waiting for the SSL server session
to expire.
SSL allows websites to be indexed
using a software called web crawler, that searches the World Wide Web. In some
cases the URI (Uniform Resource
Identification)of
the encrypted resource can be reffered to by only knowing the intercepted request packet size. This
allows an attacker to have access to both the plaintext and the cyphertext permitting him to carry a cryptographic
attack. Cyphertext is
the encrypted version of the plaintext transmitted.
Because SSL operates in a lower layer than HTTP,
and is unaware of higher-level protocols, SSL servers can only strictly present
one certificate for a particular IP-port address combination. This means that,
in most cases, it is not manageable to send the name of the virtual host via
HTTPS. This problem was later overcomed as new web browsers support now an
extension called Server
Name Indication (SNI) which sends the hostname to the
server before encrypting the connection.SNI allows the server software to choose earlier for the
correct virtual domain and present the web browser with the right certificate.
TLS stands for
Transport Layer Security.
TLS protocol is composed of two layers, the TLS Record Protocol and the TLS Handshake Protocol.
TCP/IP protocol to make it more reliable. This protocol uses symmetric cryptography for data encryption(DES,RC4).The Handshake Protocol secretly generates unique keys used for Record Protocol’s cryptography. The Record Protocol can also be used without encryption because it provides reliable connections using message integrity check, MAC along with secure hash functions(SHA,MD5).
TLS protocol is composed of two layers, the TLS Record Protocol and the TLS Handshake Protocol.
TCP/IP protocol to make it more reliable. This protocol uses symmetric cryptography for data encryption(DES,RC4).The Handshake Protocol secretly generates unique keys used for Record Protocol’s cryptography. The Record Protocol can also be used without encryption because it provides reliable connections using message integrity check, MAC along with secure hash functions(SHA,MD5).
HTTPS Security
techniques
Signature-Certificates
A web server using TLS is
authenticated by a web browser, so that the user can feel secure that his/her
interaction within a specific domain will
not be intercepted by eavesdroppers and that the web site represents what it
claims and shows to be. In practice, a web site operator obtains a signed
certificate by applying to a certificate provider known as commercial retailer
of certificates. Such certificate requests are electronic documents that
contain information such as web site’s
name, company and contact detail’s, registered location and more. Such
providers inspect the information provided and sign the request if everything
is valid, and produce a public certificate. When a user browses the web, this
public certification scheme validates and identifies wherever a web site
accessed by any web browser is safe and a certificate has been issued for it.
Key exchange and
encryption
SSL allows a proxy server to act as a link between the client
and the server. SSL runs higher than TLS, at the application layer and provides
secure exchange of data such as bank account details, between a client and a server.
SSL uses certificates, private and public key exchange mechanisms and key
agreements to provide privacy. Authentication and integrity are achieved by
using Message Authentication Code (MAC).This is basically an algorithm
used for ensuring data integrity and authenticity. The information handled by
this code is known as a Cypher Suite and exists within a Public Key Infrastructure (PKI).
“PKI is a security
architecture that has been introduced to provide an increased level of
confidence for exchanging information over an increasingly insecure Internet.[6]
“
Message Integrity
In order to ensure that a message has not been interfered
with between the sender and recipient, an encoded data (or hash code),is
applied to the message and attached to it. This code stream is of fixed length
value and therefore it cannot be easily reversed. The hash code is encrypted to
form the MAC algorithm, using
the sender’s private key, and then it is decrypted at the other side by using
the sender's public key. The new encrypted message can either be created
using Message MD5 or SHA
algorithms.
The public/private keys used to form the MAC algorithm could
be from another algorithm which is also used for key generation, encryptiona
and decryption, called RSA. Apart from RSA there is also a new signature standard
called DSA(Digital Signature Algorithm).DSA
is standardised in the DSS
(Digital Signature Standard). DSS uses Diffie-Hellman type algorithms
and uses SHA-1 for producing the hash code.
“Diffie – Hellman algorithm is an algorithm that allows two parties to get the
shared secret key using the communication channel, which is not protected from
the interception but is protected from modification.[7]”
Conclusion
To
summarize we saw that HTTPS is a very good protocol in terms of security. Web sites that use HTTPS are a lot more secure than
the ones which use single HTTP. Every site which carries personal and sensible
information like professional, banking or educational accounts, or shares such
infromation among the internet should be protected with HTTPS. With
the massive explosion of Internet trends and fraud,people are struggling to
submit their private information on the
web. HTTPS can strengthen the sense of protection both in theory and practise.
HTTPS has been around for a lot of years now, and is the
primary protocol used by sites that provide authorization, registration and
information storage. Some of them are Amazon, E-bay, Facebook, banks, universities
and many more. Today the web is moving towards making every connection totally
under HTTPS’s security. A bad thing of totally adapting HTTPS to the web today
with today’s technology, is that SSL’s and TLS key exchange processes, will add
time to the latency of the transactions, which means that the hole web would
become slower. For most people security is more important than speed, bearing
in mind that nowadays in most countries the connection times are really fast.
Of course internet’s security is not even close to perfection
and is still possible for some attackers to break into HTTPS. Except of some
well known cryptographic protocol vulnerabilities we studied earlier, there are
other structural ways to hack its authentication mechanism and validation for
any domain. There are still many ways to break HTTPS’s TLS and SSL security
today. Those Web's security protocols may be good enough to protect against
attackers with limited time, effort and motivation.
Nikolas Georgiou
