Below content contains
1) What is HTTPs
2) Server Authentication
3) Important check list to follow for having secure website with good performance.
(web site links to check your server security online. Moazilla standards for configuring TLS on server)
4) Reasons for insecure communications over https.
Even static data should be encrypted. That's the best way to keep website secure.
In reality all the below 3 give secure website.
1)Authentication
2)Data Integrity (Data doesn't change between client and server)
3) Encryption (can any one see my conversation)
All the above 3 are taken care by Transport Layer Security(TLS)
HTTPS ==> HTTP running on top of TLS
HTTP (http running on top of TLS)
TLS
TCP
IP
Do we need to encrypt of all of the web data ?
My answer would be yes.
why we need to ?
For example casual surfing at restaurants with out https can give information to
hackers that what sites being visited if it is financ.yahoo.com. what shares
you are interested etc.
Hackers can change text, password etc if client doesn't connects to right Server. That's the reason we need Server Authentication.
1) If client wants to connect to the right server. Client has to connect over
https. Over https browser downloads server signed certificate(public key) this gives guarantee that client is connected
to right server.
Advantage of TLS
1) Passive and Active attackers cant listen in because we are encrypting the data.
2) Attacker cant tamper as data is check suming.
3) attackers cant impersonate.
Configuring TLS
1) Arent Certificate expensive
2) wont it make server and site slow ?
3) what are the configuration best practices
Important check list need to follow in the order
1) Get a 2048-bit TLS Certificate
2) Configure TLS on your servers.
3) Verify TLS server configuration
4) Monitor performance: resumption rate etc.
5) Tune Server configuration. Cache etc.
6) Investigate SPDY & HTTP2.0
1)Get a 2048-bit TLS Certificate
If there is any 1024-bit certificate on server better to migrate to 2048-bit.
Certificates are below types.
a) Free certificates ( which are for non commerfical use from StartSSL)
b) Single host ( google.com)
c) Multi-domain (google.co.in, google.co.us, google.co.uk)
d) Wildcard (*.mysite.com)
2) Configure TLS on your servers
More about Server Side TLS configuration in the blow link
https://wiki.mozilla.org/Security/Server_Side_TLS
3) Verify TLS server configuration
How to verify TLS Server configuration (Qualys provides online to test Server, browser etc)
https://www.ssllabs.com/ssltest/
It gives score and useful tips. Before you access any website you can check that site security aspects using this tool.
4) Monitor performance: resumption rate etc
Usually cryptography stuff consumes more CPU. Modern CPUs are designed to handle huge data traffic over TLS
Assymetric cryptography - verify the public certificate and do public crypto (This one is expensive)
Symetric Cryptography - how we encrypt the application data
5) Tune Server configuration
Using HTTP Keep alive and session resumption doesn't require full handshake. So handshake doesn't dominate CPU Usage.
.
6) Google developed a protocal SPDY which gives better page load performance over regular https connections.
SPDY1&2 not only improves client performance also does on Server. SPDY allows single connection to server instead of many
connections to server. Single connection means few handshakes, fewers sockets, few buffers to allocate. SPDY consumes less memory but
more CPU and also fewer worker threads.
Few more reasons for insecure communication.
Few reasons for broken cert between client and server. Developer points
1) Incorrect host name return by server in the cert.
2) Incomplete Certificate Chain
3) Expired Certificates.
Insecure references
Some secure websites having javascript/css code like below.
<script src="http://aaa.com/script.js"></script>
Some browsers wont allow(http:) type of communication. This script is blocked will not
execute. If browser allows also it is secruity leak.
Use Protocol relative URI's. Protocol relative uri's will be
<script src="//aaa.com/script.js"></script>
Even secure website can have insecure hrefs
<a href="http://abc.com"/>
use Protocol relative urls
<a href="//abc.com"/>
Insecure re directions are expensive
1) https -->redirect to --> http --> again redirect to https
HSTS (HTTP strict transport security) eliminates HTTP--> HTTPs redirects (costly operations)
Server can return with this header when returns a page.
Strict-Transport-Security: max-age=20491234; includeSubDomains
max-age in seconds. Remember this policy(HSTS) for this many seconds.
includeSubDomains is optional. says remember this policy for all the sub domains.
1) What is HTTPs
2) Server Authentication
3) Important check list to follow for having secure website with good performance.
(web site links to check your server security online. Moazilla standards for configuring TLS on server)
4) Reasons for insecure communications over https.
Even static data should be encrypted. That's the best way to keep website secure.
In reality all the below 3 give secure website.
1)Authentication
2)Data Integrity (Data doesn't change between client and server)
3) Encryption (can any one see my conversation)
All the above 3 are taken care by Transport Layer Security(TLS)
HTTPS ==> HTTP running on top of TLS
HTTP (http running on top of TLS)
TLS
TCP
IP
Do we need to encrypt of all of the web data ?
My answer would be yes.
why we need to ?
For example casual surfing at restaurants with out https can give information to
hackers that what sites being visited if it is financ.yahoo.com. what shares
you are interested etc.
Hackers can change text, password etc if client doesn't connects to right Server. That's the reason we need Server Authentication.
1) If client wants to connect to the right server. Client has to connect over
https. Over https browser downloads server signed certificate(public key) this gives guarantee that client is connected
to right server.
Advantage of TLS
1) Passive and Active attackers cant listen in because we are encrypting the data.
2) Attacker cant tamper as data is check suming.
3) attackers cant impersonate.
Configuring TLS
1) Arent Certificate expensive
2) wont it make server and site slow ?
3) what are the configuration best practices
Important check list need to follow in the order
1) Get a 2048-bit TLS Certificate
2) Configure TLS on your servers.
3) Verify TLS server configuration
4) Monitor performance: resumption rate etc.
5) Tune Server configuration. Cache etc.
6) Investigate SPDY & HTTP2.0
1)Get a 2048-bit TLS Certificate
If there is any 1024-bit certificate on server better to migrate to 2048-bit.
Certificates are below types.
a) Free certificates ( which are for non commerfical use from StartSSL)
b) Single host ( google.com)
c) Multi-domain (google.co.in, google.co.us, google.co.uk)
d) Wildcard (*.mysite.com)
2) Configure TLS on your servers
More about Server Side TLS configuration in the blow link
https://wiki.mozilla.org/Security/Server_Side_TLS
3) Verify TLS server configuration
How to verify TLS Server configuration (Qualys provides online to test Server, browser etc)
https://www.ssllabs.com/ssltest/
It gives score and useful tips. Before you access any website you can check that site security aspects using this tool.
4) Monitor performance: resumption rate etc
Usually cryptography stuff consumes more CPU. Modern CPUs are designed to handle huge data traffic over TLS
Assymetric cryptography - verify the public certificate and do public crypto (This one is expensive)
Symetric Cryptography - how we encrypt the application data
5) Tune Server configuration
Using HTTP Keep alive and session resumption doesn't require full handshake. So handshake doesn't dominate CPU Usage.
.
6) Google developed a protocal SPDY which gives better page load performance over regular https connections.
SPDY1&2 not only improves client performance also does on Server. SPDY allows single connection to server instead of many
connections to server. Single connection means few handshakes, fewers sockets, few buffers to allocate. SPDY consumes less memory but
more CPU and also fewer worker threads.
Few more reasons for insecure communication.
Few reasons for broken cert between client and server. Developer points
1) Incorrect host name return by server in the cert.
2) Incomplete Certificate Chain
3) Expired Certificates.
Insecure references
Some secure websites having javascript/css code like below.
<script src="http://aaa.com/script.js"></script>
Some browsers wont allow(http:) type of communication. This script is blocked will not
execute. If browser allows also it is secruity leak.
Use Protocol relative URI's. Protocol relative uri's will be
<script src="//aaa.com/script.js"></script>
Even secure website can have insecure hrefs
<a href="http://abc.com"/>
use Protocol relative urls
<a href="//abc.com"/>
Insecure re directions are expensive
1) https -->redirect to --> http --> again redirect to https
HSTS (HTTP strict transport security) eliminates HTTP--> HTTPs redirects (costly operations)
Server can return with this header when returns a page.
Strict-Transport-Security: max-age=20491234; includeSubDomains
max-age in seconds. Remember this policy(HSTS) for this many seconds.
includeSubDomains is optional. says remember this policy for all the sub domains.