Friday, 8 February 2013

HTTPS


HTTP Secure
Introduction
“Hypertext Transfer Protocol Secure (HTTPS) is a widely used communications protocol for secure communication over a computer network, with especially wide deployment on the Internet.”[1]
HTTPS is an extension of the existing HTTP protocol combined with SSL/TLS protocols for adding security to Web communications. It was created by Netscape Communications  for its Netscape Navigator web browser. The RFC document states the origin of the currently used protocol from back to 2000.[2] HTTP alone was and is too insecure and is vulnerable to man-in-the-middle and eavesdropping attacks, therefore access to website accounts and sensitive information can take place. HTTPS was designed to provide security against such attacks. It brought a lot of new enhancements of security in comparison to HTTP. It can give extra independent security measures, authentication, confidentiality and integrity in web transactions. This new protocol is flexible in using cryptography, key management and security policies. It is very common today and widely used.

The Record Protocol works at a lower level in the transport layer. It can be layered amongst a
TLS also aims to achieve interoperability, extensibility and efficiency.
Interoperability for enabling programmers to develop applications without knowing one another’s code. Extensibility to avoid the need of creating a new security library when developing a new protocol. Finally TLS tries to improve efficiency and speed. All this cryptographic and key exchanging mechanisms make use of a lot of resources and CPU power. By using a caching memory, it tries to remember some connections so that it could avoid re-establishing those all over from the start.[4]

 
Differences between HTTP and HTTPS
The most obvious and well known difference amongst all users is that HTTP transactions begin with a http://” URL and HTTPS with a “https://” one. HTTP uses port 80 and HTTPS port 443. HTTPS works by transmitting normal HTTP packets through an encrypted system, so that the information cannot be intercepted by a third party other than the client and server.
In case you are accessing sensitive sites like your banking account or email, many websites offer an HTTPS connection to make sure no one can directly eavesdrop on your data. The HTTPS security protocol operates at a lower layer, the one of data transmission, rather than HTTP which operates in the highest one, the Application layer. The new protocol achieves higher security by using techniques such as Signature/Certificate validation, key exchanging, encryption and Message integrity.

SSL/TLS protocols
“Several versions of the protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).”[3]
SSL stands for Secure Sockets Layer.
SSL is an Internet security protocol mainly used by web applications such as Internet browsers and Web servers to transmit sensitive information via public-key encryption. Originally HTTPS was used over SSL protocol, but later SSL was merged with TLS to form a new standard, and nowadays the protocol uses also TLS’s security.
SSL comes in two options, simple and mutual.
The mutual version is more secure, but requires users to install a personal certification scheme in their browser in order to authenticate themselves. Whatever option is used, the level of protection is mostly up to the application used, the web browser’s and server software. Both of them should support cryptographic algorithms in order to totally exploit SSL’s capabilities.
In mutual authentication, the session is managed by the first server that establishes the connection. With mutual SSL or TLS, security reaches its maximum capabilities, but on the client-side, there is no way to properly terminate the SSL connection except by closing all related client applications or waiting for the SSL server session to expire.
SSL allows websites to be indexed using a software called web crawler, that searches the World Wide Web. In some cases the URI (Uniform Resource Identification)of the encrypted resource can be reffered to by only knowing  the intercepted request packet size. This allows an attacker to have access to both the plaintext and the cyphertext permitting him to carry a cryptographic attack. Cyphertext is the encrypted version of the plaintext transmitted.
Because SSL operates in a lower layer than HTTP, and is unaware of higher-level protocols, SSL servers can only strictly present one certificate for a particular IP-port address combination. This means that, in most cases, it is not manageable to send the name of the virtual host via HTTPS. This problem was later overcomed as new web browsers support now an extension called Server Name Indication (SNI) which sends the hostname to the server before encrypting the connection.SNI allows  the server software to choose earlier for the correct virtual domain and present the web browser with the right certificate.
TLS stands for Transport Layer Security.
TLS protocol is composed of two layers, the TLS Record Protocol and the TLS Handshake Protocol. 

TCP/IP protocol to make it more reliable. This protocol uses symmetric cryptography for data encryption(DES,RC4).The Handshake Protocol secretly generates unique keys used for Record Protocol’s cryptography. The Record Protocol can also be used without encryption because it provides reliable connections using message integrity check, MAC along with secure hash functions(SHA,MD5).
HTTPS Security techniques

Signature-Certificates
A web server using TLS is authenticated by a web browser, so that the user can feel secure that his/her interaction within a specific domain will not be intercepted by eavesdroppers and that the web site represents what it claims and shows to be. In practice, a web site operator obtains a signed certificate by applying to a certificate provider known as commercial retailer of certificates. Such certificate requests are electronic documents that contain information such as  web site’s name, company and contact detail’s, registered location and more. Such providers inspect the information provided and sign the request if everything is valid, and produce a public certificate. When a user browses the web, this public certification scheme validates and identifies wherever a web site accessed by any web browser is safe and a certificate has been issued for it.

Key exchange and encryption
SSL allows a proxy server to act as a link between the client and the server. SSL runs higher than TLS, at the application layer and provides secure exchange of data such as bank account details, between a client and a server. SSL uses certificates, private and public key exchange mechanisms and key agreements to provide privacy. Authentication and integrity are achieved by using Message Authentication Code (MAC).This is basically an algorithm used for ensuring data integrity and authenticity. The information handled by this code is known as a Cypher Suite and exists within a Public Key Infrastructure (PKI).
PKI is a security architecture that has been introduced to provide an increased level of confidence for exchanging information over an increasingly insecure Internet.[6]

Message Integrity
In order to ensure that a message has not been interfered with between the sender and recipient, an encoded data (or hash code),is applied to the message and attached to it. This code stream is of fixed length value and therefore it cannot be easily reversed. The hash code is encrypted to form the MAC algorithm, using the sender’s private key, and then it is decrypted at the other side by using the sender's public key. The new encrypted message can either be created using Message MD5 or SHA algorithms.

The public/private keys used to form the MAC algorithm could be from another algorithm which is also used for key generation, encryptiona and decryption, called RSA. Apart from RSA there is also a new signature standard called DSA(Digital Signature Algorithm).DSA is standardised in the DSS (Digital Signature Standard). DSS uses Diffie-Hellman type algorithms and uses SHA-1 for producing the hash code.
“Diffie – Hellman algorithm is an algorithm that allows two parties to get the shared secret key using the communication channel, which is not protected from the interception but is protected from modification.[7]”

Conclusion
To summarize we saw that HTTPS is a very good protocol in terms of security. Web sites that use HTTPS are a lot more secure than the ones which use single HTTP. Every site which carries personal and sensible information like professional, banking or educational accounts, or shares such infromation among the internet should be protected with HTTPS. With the massive explosion of Internet trends and fraud,people are struggling to submit  their private information on the web. HTTPS can strengthen the sense of protection both in theory and practise.
HTTPS has been around for a lot of years now, and is the primary protocol used by sites that provide authorization, registration and information storage. Some of them are Amazon, E-bay, Facebook, banks, universities and many more. Today the web is moving towards making every connection totally under HTTPS’s security. A bad thing of totally adapting HTTPS to the web today with today’s technology, is that SSL’s and TLS key exchange processes, will add time to the latency of the transactions, which means that the hole web would become slower. For most people security is more important than speed, bearing in mind that nowadays in most countries the connection times are really fast.
Of course internet’s security is not even close to perfection and is still possible for some attackers to break into HTTPS. Except of some well known cryptographic protocol vulnerabilities we studied earlier, there are other structural ways to hack its authentication mechanism and validation for any domain. There are still many ways to break HTTPS’s TLS and SSL security today. Those Web's security protocols may be good enough to protect against attackers with limited time, effort and motivation.

Nikolas Georgiou