A Note on SSL Certificate

Posted on
ssl cryptography https security linkedin-digest
thumbnail

This is a note about the Linkedin learning course SSL Certificates for Web Developers.

Certificate and protocol

What are SSL/TLS stands for?

They stands for Secure Socket Layer and Transport Layer Security. They are the protocol names.

What is HTTPS, and why we are using it?

Https[ecure], a protocol on top of HTTP to secure the integrity of the data sending form the user to server.

What is a certificate, and what is it for?

A certificate 1 (.crt, .cer) certifies the ownership of a public key. A certificate contains:

  • organization,
  • issuer (e.g. the Certificate Authority / Self-signed),
  • valid period,
  • url,
  • state / country

These information can be used to identify the certificate owner.

The public key is used to encrypt/decrypt the communication between computers.


Cryptography

Asymmetric VS. Symmetric

Asymmetric cryptography requies a pair of keys. The Public key is used to encrypt messages while the private key is for decryption.

In symmetric cryptography, both ends use the same password to encrypt + decrypt messages.

Why are we using both technologies? And how?

In short: For the balance of security and speed, we use asymmetric cryptography to establish secure connection (handshake) and use symmetric cryptography for the data transmission.

The Handshake

The end user and the server use the same password to encrypt + decrypt the messages. This password is sent from a server to a user by following steps:

  • Validate the certificate…
    1. User makes a request to a web server.
    2. Web server responds with its public key certificate.
    3. User checks if the public key certificate is valid.
  • If the certificate from web server is valid…
    1. User encrypts the password using server’s public key, and send to web server.
    2. Server decrypts with its private key.

After that, a secure connection is established and they shared the same password 2.


Types of certificate

Self-signed

  • Intra-communications between systems under same organization.
  • Local development

CA

  • Subdomain: tied to 1 domain (e.g. www.mydoma.in)
  • Wildcard: tied to a groups of subdomains (e.g. *.mydoma.in)
  • Multi-domain: (e.g. mydoma.in, myweb.site, …)

ACME (Automatic Certificate Management Environment)

To configuring Let’s Encrypt’s ACME on server, we can make use of the CertBot. For IIS, use Certify.


HSTS

This can instruct the browser to interact with the server with HTTPS only. Redirect from HTTP to HTTPS is not required. This is achieved by adding a response header (Strict-Transport-Security).

Example response header:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

What HSTS is protecting us from?

The Man-in-the-Middle TLS Protocol Downgrade Attack.3 In this example, the hacker C sends a ARP cache table request to both the client A and server B: Manipulating Device ARP Cache Tables

Now the traffic from A to B is going through C, a typical Man-in-the-Middle attack.

The next step is C try to have a downgrade on the TLS version. Since the browsers are backward-compatible on older TLS versions, C can therefore to make the version downgraded to the negotiated version in the handshake process. C can then intercept and decrypt the messages by making use of the security vulnerabilities of eariler TLS.

HSTS Preloading

Avoid redirection of the first request too: https://hstspreload.org/


  1. the certificate does not depends on the protocol we use ↩︎

  2. password is just for the same browsing session. ↩︎

  3. I am not an expert on this area and I tried by best to digest that article and this wiki to write the summary. ↩︎