few days ago I mentioned in passing in the post over HTTPS Risks of Cloud Computing . There is a new system and it works most often invisible to the user. But let's start at the beginning.
What is HTTP?
This abbreviation stands for HyperText Transfer Protocol or Hypertext Transfer Protocol and is one of the pillars on which rests the web (World Wide Web) today.
plain and understandable HTTP is a language for questions and answers which holds all the information on the Internet. So when I want to get into a website my computer makes a query to the server according to the DNS server that is stored and this he responds by sending the requested information if you have that information. So simple and so vital.
memory is a stateless protocol, ie does not contain information of the user making the request. And there are days, many web applications need to recognize our state (who we are, we have made in the web, etc). To fix this there are cookies (a concept that I must for an upcoming post on the new EU regulation on privacy) in which the web server that contains the client computer stores information that asks questions or requests. To give you an idea, when accedéis to your email from your computer may recognize you as users (and I ask for the password) or accessible to you immediately. That is thanks to a cookie that is sent to the request providing such data.
How safe is the HTTP?
Well mainly that someone may be listening to that question that we add a cookie to our information, either passively ( Eavesdropping ) or actively ( Attack Man-in-the-middle ) because our message passes through many points. Although a priori information can be encrypted, if you catch the public key used by the server, you can modify the message to an intermediary to become a recipient of private information.
For example: Imagine no protection for online banking (quiet that no longer exists):
- Juan wants to communicate with your bank to obtain information and Thief.
- To start the conversation Bank John asks the Public Key used to.
- Thief intercepts the response of the Bank.
- Thief adjust the message using a different public key and Juan sends a false identity.
- This response from the bank thinks and responds by sending your private key (password) to Thief.
- Private Key Thief gets John and you can start the process with the bank.
Beware Firesheep and public networks
I do not tire of saying, if you use a sniffer few years was not very complicated (I did try capturing my own conversations with Messenger Wireshark and some plugin) is now just very simple with applications such as Firesheep , a Firefox extension with which we can get all passwords used on our network or a public network.
"Cheese is HTTPS?
a way to create secure communication over an insecure network. To do this communication is supported by a Certificate Authority on which we rely.
What is the security enhancements HTTPS?
Well mainly:
1 º We have a browser that recognizes the certifying authority.
The browser address bar is usually show a different icon when we are in an HTTPS connection. And if you click on it gives us additional information about the authority.
2 The Web Manager we access gets a Public Key Certificate.
Thus, if a public key is not identified as certified by the Authority Certification, your browser will display an alert.
3 º SSL and TLS, the language of questions and answers will be encrypted.
Communication begins with a mediation with the Certification Authority to establish how the question and the answer will be encrypted (both ends must know the method and keys).
For this, when asked (ClientHello) your browser adds information about what type of encryption support and this we respond (serverHello) with the selected encryption. Then, through the Certification Authority or we are given a symmetric key for both or a shared public key to decrypt a new private key.
And under these encryption techniques is the HTTP, ie the question and response.
4 º Sometimes ensure that all nodes it has passed the data package is safe.
Why do not all internet works with HTTPS?
is clear that secure communication is better than one that is not, and although it is growing the number of communications that use HTTPS, the vast majority of these occur without it. The reasons are enumerable:
1, High cost of security certificates.
Certification Authorities are not free, so it is normal that shops and online banking or large corporations use internet but the small and medium-sized websites.
(Edit: In the comments a reader tells us that there is a certification authority with a free plan. Thanks for the info).
(Edit: In the comments a reader tells us that there is a certification authority with a free plan. Thanks for the info).
2 The HTTPS does not cache data.
What makes that especially when accessing websites hosted on remote servers (think of data having to travel half the world), all content has to be forwarded, when the web normally store a data series Fixed giving an apparent velocity to your browser.
3 The initial SSL negotiation adds delay.
If security is not essential, we usually prefer speed.
4 º not usable in the virtual servers.
This is somewhat technical, but imagine that I rent a space for a large enterprise server and from server I manage at my own server software. This is a common practice. Not well solved the possibility to use HTTPS (if using TLS extensions but in part).
What to do to avoid Firesheep and other sniffers?
There are several extensions that force the use of HTTPS servers that support it. Many websites offer it but not used by default to maximize speed.
Chrome
Para saber más:
Ataque Eavesdropping
0 comments:
Post a Comment