HTTPS - Securing the HTTP - Part 1 - Intro

In the previous article we have read about the HTTP Protocol, its messaging format and Wireshark analysis of the HTTP protocol. In this article, we will see the method of securing the HTTP protocol with the use of SSL/TLS. Let's dive into the article and understand the method of securing HTTP communication.

??Why do we need to secure HTTP ?

The answer is pretty simple, "We are interacting with web servers located some where in the world. When we are sending and receiving the data, we want our data to be protected against unauthorised uses and have privacy". So to achieve this, we need to make sure that the data is encrypted end-to-end so that 3rd parties cannot inspect or misuse the data.

Encryption is a fundamental aspect of cyber-security and privacy, ensuring that information is accessible only to those authorised to view it. It involves converting plain text into a scrambled format known as cipher text, which is unreadable without the proper decryption key.

??So does encryption solve all the problems ?

Encryption only solves data security, by scrambling the data with various algorithms which are hardened against security attacks. AES(Advanced Encryption Standard) is the best algorithm out in the industry which is very secure against brute force attacks. But does this solve our problem of data security and misuse of data. We will know the answer of this by analysing a few scenarios and to understand them better, we are welcoming our old friends from the internet world "Alice", "Bob" and "Charlie". "Alice" is the client and "Bob" is the server, "Charlie" is the attacker or malicious user

1. Alice sending data to Bob: Let's imagine Alice is sending the information to Bob using AES Encryption, which is a symmetric encryption technique. This means Alice and Bob need to know the key ahead of sending communication. Then only the data will be secure and cannot be decrypted by third party. Let's imagine this scenario in real-time. You are visiting "LinkedIN" website. Do you ever remember to share your personal keys to LinkedIN website, so that LinkedIN website is encrypting your information and sending them. Another question is are you doing this process with rest of the websites also ? DO YOU SHARE YOUR KEYS WITH ALL WEBSITES BEFORE COMMUNICATION !!!
2. Secure Keys between Alice and Bob: In the above example, we have seen that to run symmetric encryption, there has to be a common key between Sender and Receiver. But how do we safely share the key between two persons if they are connected over Internet. ARE YOU GOING TO SEND THE KEYS TO EVERY WEBSITE OWNER BY VISITING THEIR OFFICE, EVEN SO TO WHOM ???
3. Alice sending data to Bob Only: In the above example we have a problem of Key sharing. In this example, we will see another problem. Let's say Alice is sending some secret information to bob, but instead of Bob, some 3rd party system is behaving as Bob and trying to acquire information. In this case you cannot determine the Authenticity of Bob.HOW DOES ALICE CONFIRM THAT BOB IS BOB !!!
4. Bob Sending the data to Alice: In this case Bob is trying to send the data back to Alice, but now instead of Alice retrieving the data, some one else is retrieving the data. HOW DOES BOB CONFIRM THAT ALICE IS ALICE !!!
5. Alice is sending the data to Bob, but data is being altered: Now let's see another case, where Alice is sending the information to Bob, but Charlie is manipulating the data in transit. Bob doesn't know that the data is being altered. Imagine, Alice is not so careful and mistakenly shared the same symmetric key with Charlie, then Charlie can inspect all the data going from Alice to Bob and alter data and send manipulated data to Bob.

Now we are understanding the complexity of Data Security and Authentication in terms of Internet Communication...??.

Let's discuss the approaches to solve all these problems. Before looking at the solution, we need to know few concepts - "Symmetric Encryption" and "Asymmetric Encryption" and "Digital Signatures".

?? Symmetric Encryption vs Asymmetric Encryption

Symmetric Encryption is the process of encrypting the data and sharing between sender and receiver where the key is common at sender place and receiver place.

Examples: AES(Rjindael), DES, 3DES, RC4, IDEA etc.,

Asymmetric Encryption on the other hand has two keys at sender place and receiver place. Private Key and Public Key.

Examples: RSA, Diffie-Hellman, ECDH, ECDSA etc.,

Note: This article doesn't explain the concepts of above mentioned algorithms, as they are far beyond the context of this article. I will discuss them in the upcoming articles.

?? Digital Signatures

Digital signatures are a cryptographic technique used to ensure the authenticity and integrity of digital messages. They are an electronic, asymmetrically encrypted, and mathematically verifiable signature, generated from the data. This allows for the identification of any tampering with the data.

Note: Digital Signatures will be explained in detail in future articles

?? How does these techniques solve our problems ?

Let's understand the way these techniques help us solve these problems. We will take the example of Alice sending data to bob

1. Exchange of Keys:Alice and Bob use asymmetric encryption for the secure exchange of a symmetric encryption key. Bob shares his public key with Alice.
2. Encryption of the Symmetric Key:Alice generates a symmetric key for encrypting the main data. She then encrypts this symmetric key using Bob's public key.
3. Encryption of the Main Data:Alice uses the symmetric key to encrypt the main data. Symmetric encryption is used here because it is generally faster and more efficient for encrypting large amounts of data.
4. Digital Signature Creation:Alice creates a digital signature to ensure the integrity and authenticity of the message. She does this by generating a hash (digest) of the original message (or encrypted message, depending on the protocol) and then encrypting this hash with her private key. This encrypted hash is the digital signature.
5. Sending the Encrypted Data and Signature:Alice sends Bob the encrypted data, the encrypted symmetric key, and the digital signature.
6. Verification of the Digital Signature:Upon receiving the data, Bob first decrypts the symmetric key using his private key. Then, Bob uses Alice's public key to decrypt the digital signature to retrieve the hash value of the original message (or encrypted message). Bob generates a hash of the received encrypted data and compares it to the decrypted hash from the digital signature. If they match, it confirms the data's integrity and authenticity.
7. Decryption of the Main Data:Once the digital signature is verified, Bob uses the symmetric key to decrypt the main data.
8. Voilà - we have completed data exchange.

Awesome right ? we have exchanged the information between two entities also implementing Security, Privacy, Authenticity and Verifiability.

?? Problems Addressed

1. Sharing a Symmetric key securely between two parties is achieved by encrypting the Symmetric Key itself with Asymmetric Encryption Techniques
2. Using the Public Key, we can be sure that only the intended recipient can decrypt the data. Imagine there is a third person "Charlie" is trying to impersonate as Bob. Charlie can share Bob's public key because its available with anyone, but Charlie cannot decrypt the data as Bob's private key is missing
3. We have used the digital Signature to verify that the data is not altered in transit
4. Bob has verified Alice by using Alice Public Key to share the data back
5. Charlie cannot manipulate the data, as this will be caught by Digital Signatures and Asymmetric encryption techniques.

So all our issues are addressed with the above concept. The reason we have discussed all these concepts is because, these technologies are the driving concepts of HTTPS - HTTP Secured Communication.

There is one more problem, that is not discussed in this article, we will discuss that problem in detail when we are discussing SSL/TLS. If you can identify the problem, share the same in the comments section...??

?? How HTTPS is achieved ?

HTTPS Communication is achieved by the use of SSL/TLS Protocols. Currently SSL is used as synonym for TLS, but the actual implementations are using TLS1.2 and TLS1.3 versions.

SSL (Secure Sockets Layer) Versions:

1. SSL 1.0: Never released publicly due to serious security flaws.
2. SSL 2.0: Released in 1995, the first public version of SSL. It contained numerous security flaws and vulnerabilities.
3. SSL 3.0: Released in 1996 to address the vulnerabilities of SSL 2.0. Although an improvement, SSL 3.0 itself is considered insecure today due to vulnerabilities like the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack.

TLS (Transport Layer Security) Versions:

1. TLS 1.0: Introduced in 1999 as an upgrade to SSL 3.0, it aimed to address some of SSL 3.0's vulnerabilities. However, it is now considered outdated and insecure.
2. TLS 1.1: Released in 2006, this version made further improvements but still suffers from security issues and is considered obsolete.
3. TLS 1.2: Released in 2008, TLS 1.2 introduced significant security improvements, including support for more secure encryption algorithms and the ability to negotiate hash functions. It is widely supported and considered secure, although the newer TLS 1.3 is preferred for the best security.
4. TLS 1.3: Released in 2018, TLS 1.3 represents a major update to the protocol. It offers enhanced security and performance, including faster handshake processes, improved encryption, and the removal of outdated cryptographic features. TLS 1.3 is recommended for use in securing HTTPS communications.

?? How do we check if the website we are visiting is secured or not ?

As of writing this article, I was checking whether LinkedIN site is secure or not in Google Chrome Browser as per the screenshot given below

Let's take a look at the certificate of the LinkedIn website as given in the screenshots below

Wireshark Information of the TLS1.3 with LinkedIN Website

?? Conclusion of Part - 1

I hope you have enjoyed the article so far, especially in the context of securing HTTP communication. In our next article, we will delve into the SSL/TLS infrastructure and discuss these protocols in depth.

Until then, stay safe, stay healthy, stay happy, and enjoy your learning journey. Thank you, everyone.

If you like the content, please subscribe to my LinkedIn Newsletters below and share them.,

?? References

1. https://en.wikipedia.org/wiki/Symmetric-key_algorithm
2. https://en.wikipedia.org/wiki/Public-key_cryptography
3. https://en.wikipedia.org/wiki/Digital_signature
4. https://en.wikipedia.org/wiki/HTTPS