Sunday, December 30, 2018

Bit on certificates

In continuation to my previous blog, here I'm writing something more on SSL. As we learnt that, one of the key components of SSL protocol is certificates. Certification is nothing but just a set of files which contains information like:
  • Owner of the certificate
  • Issuer of the certificate
  • Validity of the certificate, etc. 
Below is the sample certificate:

Before moving ahead, let’s have a look at the primary elements of certificates: 

  • Public Key:  This file with extension as .crt is installed on the server and is distributed freely to any client. 
  • Private Key: This file with extension .key is installed on the server and kept secret and secure. The file of SSL certificate contains information for encrypting data, it does not expire or have any details regarding organization or domain name. 
  • Signing Request:  This file with extension .csr is sent to certificate authority by an applicant while applying for certificate and is used to generate public key. The file contains all of the same information as the public key except for information about who has signed it.
A high-level picture - How communication happens?

Once handshaking is done, browser generates a random session key, which is used for connection hereon. This session key is sent to server in an encrypted form with the help of public key mentioned in the certificate. 

The best part is, only server has the private key to decrypt this random key. So, from that point on all the communications happening between browser and server are well secure.

How to verify that certificate is issued by valid authority?
Operating Systems typically have a list of trusted certificate authority. So, certificate sent by server is verified against this list.

What is CRL & what does it holds?
CRL stands for Certificate Revocation List. Every certificate issuer maintains a CRL which holds all the revoked certificates. Revoked certificates are those which are stolen and are blacklisted based on the certificate requester’s request.

Should we go with the paid certificate issuing authority?
Precisely yes as it is all about security and all the verification must go through a stringent verification process. A company that signs your certificate must first verify your right to the certificate in question. Then, they add stuff to the certificate that allows others to see that they indeed have verified your ownership to use this certificate. Which means, 

  • Issuing authorities check that the domain name in the certificate is actually owned by you and the people in charge of the domain approve the creation of this SSL. 
  • If there is information about your organization (i.e. company name) in the certificate, then this must also be verified.  People in charge of this company must approve the certificate.
Developer’s note - Does just adding an SSL certificate secures my web site?
Merely adding an SSL certificate to a site does not make the site secure.  Once SSL Certificate for the site is received, one needs to ensure that web pages that require security are only accessed over SSL (e.g. you need to link to them with https:// and not http:// links). One may also want to construct your site so that secure pages cannot be accessed via insecure links (e.g. http://).
Hope you like the briefing on certificates. Happy learning!

Monday, December 10, 2018

Is SSL and TLS same or different?

Yes, many people are using these terms interchangeably. But in today’s time, right term would be TLS. Well, understand what is this TLS and why do we really need it?

Most of us are already aware that HTTP is a plain text protocol which doesn’t have its own transport security mechanisms. In other words, HTTP is a protocol which sends data to a server and gets a response without any built-in feature or mechanism to protect data packet against tampering.

To protect our packet which is travelling through HTTP, some sort of secure tunneling is required and that secure tunneling is provided by a protocol called TLS a.k.a. SSL. Here HTTP and TLS comes together.

Usually people associate SSL/TLS with encryption, but that is not the only feature SSL provides. There are few more features as:

Server Authentication – It makes sure that communication with the right server is made
Veracity Protection – It promotes integrity and makes sure that none in between is reading our data
Confidentiality – It makes sure that none should know what data is being transmitted

Associating above features with HTTP makes HTTPs more reliable and authentic. Now question may be, how to achieve this or how to implement this SSL. Here comes in the requirement of certificates. Do wait for my next article to know more on certificates.

Happy learning.