| Starije izmjene na obje strane
Starija izmjena
Novija izmjena
|
Starija izmjena
|
racfor_wiki:mrezna_forenzika:sigurnost_https_protokola [2020/01/05 13:29]
dsaric [Security of HTTPS protocol] |
racfor_wiki:mrezna_forenzika:sigurnost_https_protokola [2024/12/05 12:24] (trenutno)
|
| ====== HTTPS protocol security ====== | ====== HTTPS protocol security ====== |
| |
| |
| ===== Abstract ===== | ===== Abstract ===== |
| |
| <font 10pt/Arial,sans-serif;;inherit;;inherit>Definition of HTTP presumes an underlying and reliable transport layer protocol, because of that TCP (Transport Control Protocol) is often used. On the other hand, HTTP can be adapted to work on unreliable protocols such as UDP (User Datagram Protocol). For the network layer HTTP usually uses the Internet Protocol. Most used HTTP version is 1.1, but now HTTP/2.0 is also developed which is more efficient, more secure and faster.</font> | <font 10pt/Arial,sans-serif;;inherit;;inherit>Definition of HTTP presumes an underlying and reliable transport layer protocol, because of that TCP (Transport Control Protocol) is often used. On the other hand, HTTP can be adapted to work on unreliable protocols such as UDP (User Datagram Protocol). For the network layer HTTP usually uses the Internet Protocol. Most used HTTP version is 1.1, but now HTTP/2.0 is also developed which is more efficient, more secure and faster.</font> |
| |
| |
| ===== Overview of HTTPS protocol ===== | ===== Overview of HTTPS protocol ===== |
| <font 10pt/Arial,sans-serif;;inherit;;inherit>TLS and its depreciated predecessor SSL are cryptographic protocols designed to provide security over a computer network. They are widespread for use in web browsing, email and others. SSL/TLS works by binding the identities of websites and companies to cryptographic key pairs via digital documents known as X.509 certificates. Each key pair consists of a private key and a public key. The private key is kept secure, and the public key can be widely distributed via a certificate.</font> | <font 10pt/Arial,sans-serif;;inherit;;inherit>TLS and its depreciated predecessor SSL are cryptographic protocols designed to provide security over a computer network. They are widespread for use in web browsing, email and others. SSL/TLS works by binding the identities of websites and companies to cryptographic key pairs via digital documents known as X.509 certificates. Each key pair consists of a private key and a public key. The private key is kept secure, and the public key can be widely distributed via a certificate.</font> |
| |
| <font 10pt/Arial,sans-serif;;inherit;;inherit>Relationship between public and private key is based on symmetric cryptography and it allows that encrypted data with a public key are easily decrypted with private key. That way only systems who know the private key can understand the sent data.</font> | <font 10pt/Arial,sans-serif;;inherit;;inherit>Relationship between public and private key is based on symmetric and asymmetric cryptography and it allows that encrypted data with a public key are easily decrypted with private key. That way only systems who know the private key can understand the sent data.</font> |
| |
| <font 10pt/Arial,sans-serif;;inherit;;inherit>It should be noted that HTTPS URLs begin with https:// and use port 433 by default, HTTP URLs begin with http:// and the default port is 80.</font> | <font 10pt/Arial,sans-serif;;inherit;;inherit>It should be noted that HTTPS URLs begin with https:// and use port 433 by default, HTTP URLs begin with http:// and the default port is 80.</font> |
| <font 10.0pt/inherit;;inherit;;inherit>Figure</font><font 10.0pt/inherit;;inherit;;inherit>1</font><font 10.0pt/inherit;;inherit;;inherit>Example of a valid certificate taken from Google Chrome</font> | <font 10.0pt/inherit;;inherit;;inherit>Figure</font><font 10.0pt/inherit;;inherit;;inherit>1</font><font 10.0pt/inherit;;inherit;;inherit>Example of a valid certificate taken from Google Chrome</font> |
| |
| <font 10.0pt/inherit;;inherit;;inherit>**Establishing HTTPS connection** is different than with HTTP as there is a handshake with the SSL/TSL layer that HTTP doesn’t have, figure below showcases the handshake the best. The HTTP protocol doesn’t have TLS handshake.</font> | <font 10.0pt/inherit;;inherit;;inherit>**Establishing HTTPS connection** is different than with HTTP as there is a handshake with the SSL/TSL layer that HTTP doesn’t have, figure below showcases the handshake the best.</font> |
| |
| {{:racfor_wiki:mrezna_forenzika:slika2_tls_handshake.png?direct&600}} | {{:racfor_wiki:mrezna_forenzika:slika2_tls_handshake.png?direct&600}} |
| This results in a breach in the integrity and confidentiality of personal information such as login credentials, bank accounts, sensitive business data, etc. Users can combat this attack by using Strict Transport Security (HSTS) and by always checking that they are using HTTPS in their browsers. | This results in a breach in the integrity and confidentiality of personal information such as login credentials, bank accounts, sensitive business data, etc. Users can combat this attack by using Strict Transport Security (HSTS) and by always checking that they are using HTTPS in their browsers. |
| |
| Cryptographic **attack ****FREAK** (Factoring RSA Export Keys), discovered in 2014, is a type of downgrade attack which relied on using weak RSA encryption keys shorter than 512 bits. These weak RSA encryption keys are a product of espionage from U.S. government. During the 1990s, U.S. government set up rules for the export of encryption systems. These rules limited the strength of the RSA encryption keys to a maximum of 512 bits in any Secure Socket Layer (SSL) implementations targeted for export. The key length of maximum 512 bits made the protocol easily hackable by NSA (National Security Agency), but not by the agencies with lesser computing power. In 2014, when FREAK was discovered, affected 37 % of HTTPS websites [19]. Shortly after discovery shortcoming were patched in most browsers. | Cryptographic **attack ****FREAK** (Factoring RSA Export Keys), discovered in 2014, is a type of downgrade attack which relied on using weak RSA encryption keys shorter than 512 bits. These weak RSA encryption keys are a product of espionage from U.S. government. During the 1990s, U.S. government set up rules for the export of encryption systems. These rules limited the strength of the RSA encryption keys to a maximum of 512 bits in all Secure Socket Layer (SSL) implementations targeted for export. The key length of maximum 512 bits made the protocol easily hackable by NSA (National Security Agency), but not by the agencies with lesser computing power. In 2014, when FREAK was discovered, affected 37 % of HTTPS websites [19]. Shortly after discovery shortcoming were patched in most browsers. |
| |
| Another type of attack is a **BEAST ****attack**. BEAST is short for Browser Exploit Against SSL/TLS. This vulnerability is an attack against the confidentiality of a HTTPS connection in a negligible amount of time. That is, it provides a way to extract the unencrypted plaintext from an encrypted session. This type of attack was remedied in TLSv1.1. | Another type of attack is a **BEAST ****attack**. BEAST is short for Browser Exploit Against SSL/TLS. This vulnerability is an attack against the confidentiality of a HTTPS connection in a negligible amount of time. That is, it provides a way to extract the unencrypted plaintext from an encrypted session. This type of attack was remedied in TLSv1.1. |
| ===== Conclusion ===== | ===== Conclusion ===== |
| |
| <font 10pt/Arial,sans-serif;;inherit;;inherit>HyperText Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). HTTP is one of the most used protocol in the world and is a backbone of the web. HTTPS uses TLS or SSL to encrypt transferred data over computer network. Using encryption over communication channel ensures a private connection. Meaning that no one else with access to this communication channel can't understand data transferred between server and client. A lot of flaws of HTTP are not fixed with HTTPS and they cannot be fixed with improving the protocol further. Rather the protection from exploits is a responsibility the host (web server) in the correct implementation of the protocol. For the implementation of a web server security it is important to know the flaws of HTTPS protocol and keep them in mind while developing.</font> | HyperText Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). HTTP is one of the most used protocol in the world and is a backbone of the web. HTTPS uses TLS or SSL to encrypt transferred data over computer network. Using encryption over communication channel ensures a private connection. Meaning that no one else with access to this communication channel can't understand data transferred between server and client. A lot of flaws of HTTP are not fixed with HTTPS and they cannot be fixed with improving the protocol further. Rather the protection from exploits is a responsibility the host (web server) in the correct implementation of the protocol. For the implementation of a web server security it is important to know the flaws of HTTPS protocol and keep them in mind while developing. |
| | |
| | HTTPS protocol and its underlying security protocol TLS are continually being improved as more and more attacks are being discovered. A lot of mentioned flaws of HTTPS are patched in newer versions, but they must be considered as the older systems still run on flawed protocols. Furthermore, even newer systems under an uneducated user can be exploited with the right tools. |
| |
| <font 10pt/Arial,sans-serif;;inherit;;inherit>HTTPS protocol and its underlying security protocol TLS is continually being improved as more and more attacks are being discovered. A lot of mentioned flaws of HTTPS are patched in newer versions, but they must be considered as the older systems still run on flawed protocols. Furthermore, even newer systems under an uneducated user can be exploited with the right tools.</font> | HTTPS protocol is a perfect example that software developers can never say they developed a bug free code, rather a code without any bugs discovered. They should always strive to write a manageable code rather than a bug free one. |
| |
| <font 10pt/Arial,sans-serif;;inherit;;inherit>HTTPS protocol is a perfect example that software developers can never say they developed a bug free code, rather a code without any bugs discovered. They should always strive to write a manageable code rather than a bug free one.</font> | |
| |
| ===== Sources ===== | ===== Sources ===== |
