HTTP Vs HTTPS, All About SSL handshake
Upcoming SlideShare
Loading in...5
×
 

HTTP Vs HTTPS, All About SSL handshake

on

  • 1,466 views

 

Statistics

Views

Total Views
1,466
Views on SlideShare
1,432
Embed Views
34

Actions

Likes
3
Downloads
81
Comments
0

1 Embed 34

http://ssl-layer.blogspot.com 34

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

HTTP Vs HTTPS, All About SSL handshake HTTP Vs HTTPS, All About SSL handshake Presentation Transcript

  • By:
  • FLOW :What is Internet.OSI Model & TCP/IP Model.HTTP Protocol.HTTPS Protocol.Conclusion.
  • INTERNET Want to meet new people, do exciting things,shop at convenience, explore new world? Wantto stay at home too? You can do simultaneously ,when you go online. The Internet is a global system of interconnectedcomputer networks WWW, email, social networking, file transfer,online chat, commerce, teleconferencing, VoIP,video on demand etc. Internet is tangible network of computerssharing/exchanging information with the help ofPROTOCOLS.
  • Internet ProtocolsProtocol is a form of etiquette. Prescribed guide for conduct or actionComputers have to know in advance exactly how information is to beexchanged and precisely what the format will beInternet Protocols are the standards ,designed to specify howcomputers interact and exchange messages over internet.Protocols usually specifies:− The format of the messages.− How to handle errors.
  • OSI MODEL
  • TCP/IP ModelThis model is a condensed versionof the OSI model and only hasfour layers.TCP/IP Protocols are consideredto be standards around which theinternet has been developed. TheOSI model however is a "generic,protocol- independent standard.”
  • HTTPHTTP stands for HypertextTransfer Protocol.HTTP provides a set of rules andstandards that govern howinformation is transmitted onthe World Wide Web.Computers on the World WideWeb use the HyperText TransferProtocol to talk with each otherhttp://www.google.co.inThe first part of an address(URL) of a site on the Internet,signifying a document written inHypertext Markup Language(HTML).
  • HTTP is a client-server protocol by which two machinescommunicate using a reliable, connection-orientedtransport service such as the TCP.A browser is an HTTP client because it sends requests to anHTTP server (Web server), which then sends responses back tothe clientAn HTTP server is a program that sits listening on a machinesport for HTTP requests.The standard (and default) port for HTTP servers to listen on is80, though they can use any port.
  • HTTP is stateless. The lifetime of a connection corresponds to a singlerequest-response sequenceAn HTTP client opens a tcp/ip connection to the server via a socket,transmits a request for a document, then waits for a reply from the server.Once the request-response sequence is completed, the socket is closed.There is no "memory" between client connections.The pure HTTP server implementation treats every request as if it wasbrand-new.
  • How HTTP WorksHTTP Server is implemented by Apache HTTP Server · Microsoft IIS ·Jigsaw · Zope etc.Each client-server transaction, whether a request or a response,consists of three main partsA response or request lineHeader informationThe body
  • Advantages of HTTPPlatform independent- Allows Straight cross platform porting.No Runtime support required to run properly.Usable over Firewalls! Global applications possible.Not Connection Oriented- No network overhead to create andmaintain session state and information.
  • HTTP LimitationsSecurity ConcernsPrivacy -Anyone can see contentIntegrity -Someone might alter content. HTTP is insecure since no encryptionmethods are used. Hence is subject to man in the middle and eavesdroppingof sensitive information.Authentication -Not clear who you are talking with. Anyone who intercepts therequest can determine the username and password being used.Stateless - Need State management techniques to maintain the informationacross multiple request-response cycles.
  • HTTPSHTTPS stands for HypertextTransfer Protocol over SecureSocket Layer, or HTTP over SSL.SSL acts like a sub layer underregular HTTP applicationlayering.HTTPS encrypts an HTTPmessage prior to transmissionand decrypts a message uponarrival.
  • HTTPSHTTPS by default uses port 443 as opposed to the standard HTTP portof 80.URLs beginning with HTTPS indicate that the connection betweenclient and browser is encrypted using SSLe.g.: https://login.yahoo.com/config/login_verify2?&.src=ymSSL transactions are negotiated by means of a key based encryptionalgorithm between the client and the server, this key is usually either40 or 128 bits in strength (the higher the number of bits the moresecure the transaction).
  • Need SSL if… you have an online store or accept online orders and credit cards you offer a login or sign in on your site you process sensitive data such as address, birth date, license, or ID numbers you need to comply with privacy and security requirementsCertification Authority (CA) is an entity that issues digital certificates for useby other parties. It is an example of a trusted third party.e.g. VeriSign, Thwate, Geotrust etcAbility to connect to server via HTTP secure consists of: Generating key Generating certificate signing request Generating self signed certificate Certificate Authority signed certificate Configuring web server.
  • SSL Diagram When any modern browser is installed, it is sentwith several CA issuer certificates. These issuercertificates contain a public key for the issuer,among other information. When a web designer decides to use SSL heneeds to purchase a certificate that is signedusing the CAs private key. The web browser starts a connection to anHTTPS site. Along with this request the clientsends all supported encryption schemes. As a response to the browsers connectionrequest, the Server sends a copy of the certificatefrom step 2. Along with this transmission is theservers answer to the encryption negotiation. Once a certificate is downloaded, the signatureof the certificate (that was signed using the CAsprivate key) is checked using the CAs public key(installed in the browser in step 1. The connection succeeds, the client can nowdownload and upload to the web site with thesecurity of encryption.
  • Part One: SSL Handshake
  • Part Two: Transfer of Confidential Information
  • Part Three: Secure Session Closure
  • How SSL Overcomes HTTP Security ConcernsSecure Sockets Layer technology protects your Web site and makes iteasy for your Web site visitors to trust you in three essential ways:Privacy An SSL Certificate enables encryption of sensitive information during onlinetransactions.Integrity. A Certificate Authority verifies the identity of the certificate owner when it is issued.Authentication. Each SSL Certificate contains unique, authenticated information about thecertificate owner.
  • Limitations of HTTPS HTTPS cannot prevent stealing confidential information from the pagescached on the browser. Since in SSL data is encrypted only during transmission on the network, it is inclear text in the browser memory HTTPS is slightly slower than HTTP. HTTPS adds computational overhead as well as network overhead.
  • ConclusionThe HTTP network protocol is fundamental to the way the WorldWide Web works, and the encryption involved in HTTPS adds anessential layer if confidential information or sensitive data are to beexchanged over the public internet.Hence, If a website ever asks you to enter your credit cardinformation, you should automatically look to see if the web addressbegins with https://. If it doesnt, theres no way youre going to entersensitive information like a credit card number!
  • Online Bibliographywww.wikipedia.comCGI White Paper : Public Key Encryption and Digital Signatureswww.kannel.orgWorld Wide Web Consortium (W3C)www.di-mgt.com: RSA Algorithm