HTTP is the protocol of the web, and in this session we will look at HTTP from a web developer's perspective. We will cover resources, messages, cookies, and authentication protocols and we will see how the web scales to meet demand using cache headers. Armed with the fundamentals about HTTP, you will have the knowledge not only to build better Web/Mobile applications but also for consuming Web API.
An introduction to OAuth2 and OpenID Connect intended for a technical audience. This covers terminology, core concepts, and all the core grants/flows for OAuth2 and OpenID Connect
The world of Identity and Access Management is ruled by two things, acronyms and standards. In our hugely popular blog post on SAML vs OAuth we compared the two most common authorization protocols – SAML2 and OAuth 2.0. This white paper extends that comparison with the inclusion of a third protocol, OpenID Connect. We also touch on the now obsolete OpenID 2.0 protocol.
Learn about the basics of Postman and APIs. If you're brand new to Postman, or new to APIs, this workshop is the first step towards becoming a proficient API user.
Android is a Linux based operating system used for smart phone devices. Since 2008, Android devices gained huge market share due to its open architecture and popularity. Increased popularity of the Android devices and associated primary benefits attracted the malware developers. Rate of Android malware applications increased between 2008 and 2016. In this paper, we proposed dynamic malware detection approach for Android applications. In dynamic analysis, system calls are recorded to calculate the density of the system calls. For density calculation, we used two different lengths of system calls that are 3 gram and 5 gram. Furthermore, Naive Bayes algorithm is applied to classify applications as benign or malicious. The proposed algorithm detects malware using 100 real world samples of benign and malware applications. We observe that proposed method gives effective and accurate results. The 3 gram Naive Bayes algorithm detects 84 malware application correctly and 14 benign application incorrectly. The 5 gram Naive Bayes algorithm detects 88 malware application correctly and 10 benign application incorrectly. Mr. Tushar Patil | Prof. Bharti Dhote "Malware Detection in Android Applications" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-5 , August 2019, URL: https://www.ijtsrd.com/papers/ijtsrd26449.pdfPaper URL: https://www.ijtsrd.com/engineering/computer-engineering/26449/malware-detection-in-android-applications/mr-tushar-patil
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience. From FIDO Alliance Seminar in Tokyo, Japan, November, 2015.
The Internet was not designed to support the fast delivery of website applications. And caching– does not adequately address the performance requirements of dynamic, web-based applications. In this presentation, we will go over the differences, challenges and methodology for accelerating dynamic and static/cached content with a content delivery network (CDN).
These slides were presented at the 2014 Velocity conference at the Santa Clara Convention Center in Santa Clara, CA United States
For more information please visit cdnetworks.com.
An introduction to OAuth2 and OpenID Connect intended for a technical audience. This covers terminology, core concepts, and all the core grants/flows for OAuth2 and OpenID Connect
The world of Identity and Access Management is ruled by two things, acronyms and standards. In our hugely popular blog post on SAML vs OAuth we compared the two most common authorization protocols – SAML2 and OAuth 2.0. This white paper extends that comparison with the inclusion of a third protocol, OpenID Connect. We also touch on the now obsolete OpenID 2.0 protocol.
Learn about the basics of Postman and APIs. If you're brand new to Postman, or new to APIs, this workshop is the first step towards becoming a proficient API user.
Android is a Linux based operating system used for smart phone devices. Since 2008, Android devices gained huge market share due to its open architecture and popularity. Increased popularity of the Android devices and associated primary benefits attracted the malware developers. Rate of Android malware applications increased between 2008 and 2016. In this paper, we proposed dynamic malware detection approach for Android applications. In dynamic analysis, system calls are recorded to calculate the density of the system calls. For density calculation, we used two different lengths of system calls that are 3 gram and 5 gram. Furthermore, Naive Bayes algorithm is applied to classify applications as benign or malicious. The proposed algorithm detects malware using 100 real world samples of benign and malware applications. We observe that proposed method gives effective and accurate results. The 3 gram Naive Bayes algorithm detects 84 malware application correctly and 14 benign application incorrectly. The 5 gram Naive Bayes algorithm detects 88 malware application correctly and 10 benign application incorrectly. Mr. Tushar Patil | Prof. Bharti Dhote "Malware Detection in Android Applications" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-5 , August 2019, URL: https://www.ijtsrd.com/papers/ijtsrd26449.pdfPaper URL: https://www.ijtsrd.com/engineering/computer-engineering/26449/malware-detection-in-android-applications/mr-tushar-patil
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience. From FIDO Alliance Seminar in Tokyo, Japan, November, 2015.
The Internet was not designed to support the fast delivery of website applications. And caching– does not adequately address the performance requirements of dynamic, web-based applications. In this presentation, we will go over the differences, challenges and methodology for accelerating dynamic and static/cached content with a content delivery network (CDN).
These slides were presented at the 2014 Velocity conference at the Santa Clara Convention Center in Santa Clara, CA United States
For more information please visit cdnetworks.com.
Sure, you would love to have an identity management solution for provisioning, but those frameworks are just too expensive and difficult to implement. If you’ve ever had this conversation at your organization, then this is for you.
Learn about Dell One Identity as a Service and how this newly available solution can give your organization the advantages of the big guys at a fraction of the cost and ramp up time.
Adressing nonfunctional requirements with agile practicesMario Cardinal
A recurring challenge with agile practices is how to address non-functional requirements. A non-functional requirement specifies "how well" the "what" must behave. They focus on characteristics such as security, maintainability, availability and performance that typically cut across functional requirements. Improperly dealing with nonfunctional requirements leads to the source code difficult to evolve or software with an unpleasant execution quality. During this session, you will learn how to specify these recurring concerns using self-contained constraints that can be satisfied iteration after iteration, in a finite period of time. Overall, you will acquire a different perspective on how to connect requirements and architecture using agile practices.
The Keys To A Successful Identity And Access Management Program: How Does You...Dell World
The way you implement Identity and Access Management (IAM) can make or break your security and compliance strategies. Based on Dell’s experience helping customers deploy IAM properly, we have identified common themes that run through these successful projects. In this session, one of Dell’s IAM experts will present a maturity model that will help you gauge the correct place to start your deployment, highlight the course corrections that may be necessary, and help you determine the path to IAM that’s right for you.
Today enterprise solutions adopt products and services from multiple cloud providers in order to accomplish various business requirements. This means that it is no longer sufficient to maintain user identities only in corporate LDAP. In most cases, SaaS providers also need dedicated user accounts created for the cloud service users, which raises the need of identity provisioning mechanisms to be in place.
Best Practices for Architecting a Pragmatic Web API.Mario Cardinal
This presentation teach how to design a real-world and pragmatic web API. It draws from the experience Mario Cardinal have gained over the years being involved architecting many Web API. This presentation begins by differencing between a Web and a REST API, and then continue with the design process. We conclude with the core learnings of the session which is a review of the best practices when designing a web API. Armed with skills acquired, you can expect to see significant improvements in your ability to design a pragmatic web API.
Non functional requirements. do we really care…?OSSCube
Non Functional requirements are an essential part of a project’s success, sometimes it becomes less focused area as everyone tries to make project successful in terms of functionality. This recorded webinar uncovers what can happen if Non Functional requirements are not addressed properly. What are the after impacts? You also learn the importance of Non Functional requirement, their identification, implementation and verification.
Non-Functional Requirements are as important as Functional Requirements. Requirement that cannot be measured is not a requirement. NFR's are critical for successful software architecture development
Walks through the basics of the HTTP protocol, URLs, cookies and caching, with tricks and tips that can be used by web developers. From a Geek.class I did on Oct 6, 2011 for Meet the Geeks.
DEMYSTIFYING REST
Kirsten Jones
REST web services are everywhere! It seems like everything you want is available via a web service, but getting started with one of these web services can be overwhelming – and debugging the interactions bewilders some of the smartest developers I know. In this talk, I will talk about HTTP, how it works, and how to watch and understand the traffic between your system and the server. From there I’ll proceed to REST – how REST web services layer on top of HTTP and how you can expect a REST web service to behave. We’ll go over how to monitor and understand requests and responses for these services. Once we’ve covered that, I’ll talk about how OAuth is used for authentication in the framework of a REST application. PHP code samples will be shown for interacting with an OAuth REST web service, and I will cover http monitoring tools for multiple OS’s. When you’re done with this talk you’ll understand enough about REST web services to be able to get started confidently, and debug many of the common issues you may encounter.
This presentation will discuss how the Representational State Transfer (REST) architectural style can be applied to the design of your web services.
You will learn how to use HTTP methods and status codes properly and we will discuss how to use Hypermedia As The Engine Of Application State (HATEOAS). The principles of REST and HATEOAS will be demonstrated through the Atom Publishing Protocol (AtomPub) using the Google Data APIs and other AtomPub implementations as examples.
This is the presentation from Null/OWASP/g4h December Bangalore MeetUp by Akash Mahajan.
technology.inmobi.com/events/null-owasp-g4h-december-meetup
Abstract:
This will cover the basics of Hyper Text Transfer Protocol. You will learn how to send HTTP requests like GET, POST by crafting them manually and using a command line tool like CURL. You will also see how session management using cookies happens using the same tools.
To practice along please install curl (http://curl.haxx.se/download.html).
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
9. HTTP Request and response
A client sends an HTTP request to a server
using a message that the server will understand.
A server responds by sending an HTTP
response that the client will understand.
The request and the response are two different
message types.
Request Message
Browser Client HTTP server
Response Message
10. Request
An HTTP request message is a simple, plain text
message
Request Message
Browser Client HTTP server
11. HTTP Request Message
A full HTTP request message consists of the
following parts:
[method] [URL] [version]
[headers]
[body]
12. HTTP Request Method
Method Description
GET Retrieve a resource
PUT Store a resource
DELETE Remove a resource
POST Update a resource
HEAD Retrieve the headers for a resource
14. HTTP Request Header
Header Description
Referer When the user clicks on a link, the client can send the URL
of the referring page in this header.
User-Agent Information about the user agent (the software) making the
request. Many applications use the information in this
header, when present, to figure out what browser is making
the request (Internet Explorer 9 versus Chrome, etc.).
Accept Describes the media types the user agent is willing to
accept. This header is used for content negotiation.
Accept-Language Describes the languages the user agent prefers.
Cookie Cookie information generally helps a server track or identify
a user.
If-Modified-Since Will contain a date of when the user agent last retrieved
(and cached) the resource. The server only has to send
back the entire resource if it's been modified since that
time.
17. Response
An HTTP response message is a simple, plain
text message
Browser Client HTTP server
Response Message
18. HTTP Response Message
A full HTTP response message consists of
the following parts:
[version] [status] [reason]
[headers]
[body]
19. HTTP Response Status Code
Range Category
100–199 Informational
100 Continue
200–299 Successful
200 OK
201 Created
204 No Content
300–399 Redirection
301 Moved Permanently
304 Not Modified
400–499 Client Error
400 Bad Request
401 Unauthorized
403 Forbidden
404 Not Found
500–599 Server Error
500 Internal Server Error
503 Service Unavailable
21. HTTP Response Header
Header Description
Connection Options that are desired for the connection.
Content-Encoding The type of encoding used on the data.
Content-Length The length of the response body in octets (8-bit bytes).
Content-Type Describes the media type of this content.
Date The date and time that the message was sent.
Expires Gives the date/time after which the response is considered
stale.
Location Used in redirection, or when a new resource has been
created.
Server A name for the server.
22. HTTP Response Message
[version] [status] [reason]
[headers]
[body]
HTTP/1.1
200
OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 14 Jan 2012 04:00:08 GMT
Connection: close
Content-Length: 17151
23. Resources and media types
When a host responds to an HTTP request, it
returns a resource (content)
Host also specifies the content type (also
known as the media type) of the resource
Defined using Multipurpose Internet Mail
Extensions (MIME)
"text/html"
"image/jpeg"
"text/xml"
"application/json"
24. Content negotiation
Content negotiation is part of what makes
HTTP great
Request message
Accept: text/html, application/xhtml+xml,
application/xml;q=0.9, */*;q=0.8
Response message
Content-Type: text/html; charset=utf-8
28. HTTP Request and Caching
Request
GET … HTTP/1.1
If-Modified-Since: Wed, 25 Jan 2012 17:55:15 GMT
Response
HTTP/1.1 304 Not Modified
Expires: Sat, 22 Jan 2022 17:16:19 GMT
Cache-Control: max-age=315360000,public
29. Cookies
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Set-Cookie: fname=Mario$lname=Cardinal;
expires=Monday, 09-July-2012 21:12:00 GMT
domain=.mywebsite.com; path=/ ; HttpOnly
30. Identification and Cookies
There is a size limitation of 4 KB
Many websites only put in a unique identifier for
a user
HTTP/1.1 200 OK
Set-Cookie:
GUID=00a48b7f6a4946a8adf593373e53347c;
domain=.msn.com; path=/ ; HttpOnly
31. Identification and Cookies
Assuming the browser is configured to accept
cookies, the browser will send the cookie to the
server in every subsequent HTTP request.
GET msn.com HTTP/1.1
Cookie:
GUID=00a48b7f6a4946a8adf593373e53347c;
32. Downsides to cookies
They interfere with caching
Any response with a Set-Cookie header should
not be cached, at least not the headers, since this
can interfere with user identification and create
security problems
They transmit data with every request
Large cookie raise demand for network bandwidth
A cookie should never store sensitive information
33. Connection
Browser Client HTTP HTTP server
TCP
Media
Transport
Network
Data Link Ethernet
Transport
Network
Data Link
IP
34. Network Debugging
Observe TCP handshake and IP headers
http://www.wireshark.org/
Observe and manipulate HTTP request and
response
http://www.telerik.com/fiddler
35. Security
Authentication
Process by which a client prove its identity to the
server
Basic
Digest
Windows
Form-based
35
36. Basic Authentication
Request
GET http://localhost /demo/ HTTP/1.1
Host: localhost
Response
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="localhost"
The WWW-Authenticate header tells the client to collect the
user credentials and try again
The realm attribute gives the user agent a string it can use as
a description for the protected area
What happens next depends on the user agent, but most
browsers will display a UI for the user to enter credentials.
37. Basic Authentication
Request
GET http://localhost/Demo/ HTTP/1.1
Authorization: Basic bm86aXdvdWxkbnRkb3RoYXQh
The value of the authorization header is the client's username
and password in a base 64 encoding.
Basic authentication is insecure by default,
38. Digest Authentication
Digest authentication is an improvement over basic authentication
because it does not transmit user passwords using base 64 encoding
The client must send a digest of the password.
Request
GET http://localhost /demo/ HTTP/1.1
Host: localhost
Response
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="localhost« ,
qop="auth,auth-int",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
opaque="5ccc069c403ebaf9f0171e9517f40e41"
Still vulnerable to man-in-the-middle attacks in which someone is
sniffing network traffic
39. Windows Authentication
Windows Authentication depends on the underlying
authentication protocols supported by Microsoft Windows
Request
GET http://localhost /demo/ HTTP/1.1
Host: localhost
Response
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Negotiate
Windows Authentication has the advantage of being
secure even without using secure HTTP
Require Microsoft products and servers (Active
Directory)
40. Form-based Authentication
Forms authentication is the most popular approach to user authentication
over the Internet.
It is not a standard authentication protocol and doesn't use WWW-Authenticate
or Authorization headers
Request
GET http://localhost /demo/ HTTP/1.1
Host: localhost
Response
HTTP/1.1 302 Found
Location: /Login.aspx?ReturnUrl=/demo/
Response
HTTP/1.1 302 Found
Location: /demo/
Set-Cookie: .ASPXAUTH=9694BAB... path=/demo/; HttpOnly
Still vulnerable to session hijacking in which someone is sniffing
network traffic
41. Security
Autorization
Process by which a server determines if the client has
permission to use a resource
41
42. 403 Forbidden HTTP status
A web server may return a 403 Forbidden HTTP
status code in response to a request from a client
for a web page or resource
Indicate that the server can be reached and
understood the request, but refuses to take any
further action.
42
HTTP/1.1
403
Forbidden
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.0
Date: Sat, 14 Jan 2012 04:00:08 GMT
Content-Length: 251
{
“code" : 123,
“description" : "You are not allowed to read this resource"
}
43. 401 Unauthorized HTTP status
401 Unauthorized, the HTTP status code for
authentication errors. And that’s just it: it’s for
authentication, not authorization.
I would expect that 401 to be named "Unauthenticated" and 403
to be named "Unauthorized". It is very confusing that 401,
which has to do with Authentication, has the format
accompanying text "Unauthorized".
Receiving a 401 response is the server telling you, “you
aren’t authenticated–either not authenticated at all or
authenticated incorrectly–but please reauthenticate and
try again.”
To help you out, it will always include a WWW-Authenticate
header that describes how to authenticate.
43
44. Security
Encryption
Process of transforming data so that it is unreadable by
anyone who does not have a decryption key
Secure HTTP (TLS)
44
45. Secure HTTP (TLS)
Hypertext Transfer Protocol over TLS (Transport Layer
Security) is used for secure communication over a network, or
perhaps more importantly – over the Internet.
You would see https:// in the URI and a lock icon in the browser
when you access a page that uses HTTPS.
TLS is the successor to the Secure Sockets Layer (SSL).
46. Secure HTTP (TLS)
Browser Client HTTP HTTP server
TLS (SSL) Encryption TLS (SSL)
TCP
Media
Transport
Network
Data Link Ethernet
Transport
Network
Data Link
IP
47. Secure HTTP (SSL)
All traffic over HTTPS is encrypted in the request and response
HTTPS requires a server to have a cryptographic certificate.
Administrators have to purchase and install certificates from the certificate authorities
like Verisign.
The server is authenticated to the client thanks to the server certificate
The certificate is sent to the client during setup of the HTTPS communication.
The certificate enable to validate that the client is truly talking to the server it thinks it is
talking to.
The validation is all made possible using public key cryptography and the existence of
certificate authorities that will sign and vouch for the integrity of a certificate.
HTTPS does not authenticate the client
Applications still need to implement forms or Basic authentication
48. 48
Do not hesitate to contact me
mcardinal@mariocardinal.com
@mario_cardinal
Q & A