A brief intro to HTTPS

Thameera Senanayaka

Oliv Labs

HTTP

  • Hypertext Transfer Protocol
  • A request-response protocol
  • Initial draft in 1989
  • HTTP/1.1 in 1997
  • HTTP/2 in 2015

Demo - HTTP/1.1 and HTTP/2

HTTPS

  • HTTP over TLS (Transport Layer Security)
  • Previously: HTTP over SSL (Secure Sockets Layer)
  • Uses port 443
  • Protects against Man-in-the-Middle attacks

Demo

Browser warnings

DEMO: WP login, Redmine

EV Certificates

  • Extended Validation Certificates
  • CAs need to verify the legal identity, etc of the company/website
  • DEMO: github.com

Support in different browsers

HTTPs certificates

  • Should be obtained from a Certificate Authority (CA)
    • eg: Comodo, DigiCert
  • Has an expiry date
  • Is valid for only one or more domains/sub-domains
  • Server sends the cert to the browser initially

Non-secure origins

  • All content should be https.
  • Mixed-content errors/warnings given otherwise.
  • DEMO: http://ddd.co.jp
  • Use CSP (Content-Security-Policy) header
    • upgrade-insecure-requests

Barriers to HTTPS

Redirecting HTTP to hTTPS

HSTS

  • HTTP Strict Transport Security
  • strict-transport-security header
  • 307 response code
  • DEMO: http://olivlabs.com
  • Preload HSTS

Thank you!

Made with Slides.com