A brief intro to HTTPS
Thameera Senanayaka
Oliv Labs
HTTP
- Hypertext Transfer Protocol
- A request-response protocol
- Initial draft in 1989
- HTTP/1.1 in 1997
- HTTP/2 in 2015
Demo - HTTP/1.1 and HTTP/2
HTTPS
- HTTP over TLS (Transport Layer Security)
- Previously: HTTP over SSL (Secure Sockets Layer)
- Uses port 443
- Protects against Man-in-the-Middle attacks
Demo
Browser warnings
DEMO: WP login, Redmine
EV Certificates
- Extended Validation Certificates
- CAs need to verify the legal identity, etc of the company/website
- DEMO: github.com
Support in different browsers
HTTPs certificates
- Should be obtained from a Certificate Authority (CA)
- eg: Comodo, DigiCert
- Has an expiry date
- Is valid for only one or more domains/sub-domains
- Server sends the cert to the browser initially
Non-secure origins
- All content should be https.
- Mixed-content errors/warnings given otherwise.
- DEMO: http://ddd.co.jp
- Use CSP (Content-Security-Policy) header
-
upgrade-insecure-requests
-
Barriers to HTTPS
- Cost
- Let's Encrypt
- Speed
- Gmail: Only 1% of CPU load contributes to HTTPS.
-
Complexity of installing and renewing
-
Certbot
-
Redirecting HTTP to hTTPS
DEMO: http://olivlabs.com
HSTS
- HTTP Strict Transport Security
-
strict-transport-security header
- 307 response code
- DEMO: http://olivlabs.com
- Preload HSTS
Thank you!
A brief intro to HTTPS
By Thameera
A brief intro to HTTPS
- 1,281