Advancing into client connectivity

In the last article where we looked upon the Basics of client connectivity, here in this article we would slightly dive deeper into more advance concepts..

So once your DNS resolution is done and your client (browser or your app) is now ready to connect to the backend application server, the story is not yet over, it has just begun, as they say "Picture toh abhi baaki hai mere dost"

Focusing only on the client (browser/Mobile app in this case) and talk about security, I didn’t wanted to write about security ATM, but this is something which is inevitable so why not discuss!

So there is a reason why I mentioned focusing on client security only, as many people think (especially the IT guys, you and me!) that you have to always keep your data secure in the datacenter behind hundred firewalls, the WAFs, Anti-DDOSeS, IPS and what not!, that is not the case here although it may be a major part of the security but the security always starts from the client side, but how? lets see..

Your mobile app or the browser always tries to make sure that its connecting to the right server and in the right way, for e.g. when it finds the internet IP address to connect, the next step would be:

1. To check whether the connection is on Https or not, where the S stands for "Secure".. "HyperText Transfer Protocol Secure", The S indicates that the data being transmitted over the internet or the network is all encrypted using SSL/TLS, this is something which is handled by the developer while hosting the application on the internet to have a Https URL and even if the user types "Http" without the S, it would be still be redirected to the Https based URL, nowadays modern browsers or any mobile app would always have this check enabled that you are connected to a Https URL only and not something Http, btw the Network Port numbers being used for Http and Https are also different, Http works on 80 and Https works on 443, that is one of the reason, no security guy in the industry would allow you to host any application on port number 80 as its insecure

2. Check whether the certificate is genuine or not, where did this certificate came into the picture all of a sudden ?? Yes that’s right, all of a sudden your client becomes highly vigilant as I mentioned above that it tries to make sure that it is connecting to the right application server, the best way to do that is to validate whether the application server is able to present a genuine certificate, you can imagine this certificate as a simple file or the technical term would be "Digital document", but again imagine it as a file for simplicity which has the following details: Version, Serial Number, Signature, Issuer, Validity period Etc. This server certificate is issued to the application server by an online global Certificate Authority such as Digicert, Global Sign, Godaddy, etc, while issuing the certificate to the application server, it is signed by the CA's Private key so that any client which tries to check the authenticity of the certificate can validate the same with the help of the CA's Public key which is widely available

So coming back to the process of validation where once the client (browser / mobile app) receives the application server's certificate, it would parse the server certificate and check some details such as the expiry, CA which issued the certificate and then it validates the signature of the certificate using the CA certificate, now you must be wondering where does the client get the CA's Public certificate, its actually there with the client by default (infact for all Global CA's), it seems like magic but its true any operating system in the world Laptop or mobile has the list of all the CA servers at the time of installation of the OS and this list keeps getting updated in the form of patches or OS updates in your laptop/mobile

Another thing which is checked is the URL or domain name, i.e. whatever URL you are connecting, the "Common name" or "subject name" presented on the certificate should match, if it doesn’t match you would be getting that famous SSL error "Your Connection is not Private" with a red exclamation mark

3. Cipher suites selection: Once the Certificate is validated there is another process where the client and the server negotiate the Cipher suites selection, the goal is to make sure that the data which is transferred from the client app to the server application should maintain confidentiality and Integrity, confidentiality in simple terms is that any data traversing through a network or internet should not be seen by an unauthorised individual, this is where we encrypt all the data so that even if someone eavesdrops the packet from the network he/she would not be able to see whats in the packet, Integrity on the other hand is the data hashing or signing where at the client end before sending the data on the network, it is hashed and sent to the server along with the hash value also, the server on receiving this encrypted data and the hash value, first decrypts the data, creates a hash out of the data and then matches it with the hash value sent by the client to make sure that the data is not tampered during transit, as if anything changes in the data the hash value wont match

So to achieve the confidentiality and Integrity both client and server would negotiate to decide upon the encryption algorithm and the hashing algorithm so that the handshake and the communication between the client and server happens in a secure manner, some of the popular Cipher suites are:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

An easy way to make sure that you are not using any insecure cipher while you are the developer or system designer is that don’t have any AES below 128 and any SHA below 256, preferably both values should be 256 or above

So these are some primary checks which happen at the client side, there are few more but mostly dependent on the server side configurations which I would discuss about in my later articles, otherwise this article would get bloated

so next time when you open your browser or the mobile app you should be able to relate what is happening behind the scenes!