Skip to main content

Security Primer Part 1

SSL TLS PKI Primer Part 1

The first browser

In 1995 Netscape corporation has started developing the first browser - Netscape. It would later become Firefox.

They clearly understood that when you browse the internet, then, if the browsing is not secured you (and them) are going to be in big trouble, just think of it, people would steal your credit card, your details make orders on your name, read your personal mail.

So a security solution is required, they hired a great guy (PhD) and he figured out he should create a new security protocol, namely the SSL!.

The rebirth of security

So this guy has come with the SSL protocol, this was, because they figured out nobody is going to trust this browser unless it's really secured.

This doctor created the framework and protocol for the security of this browser, this was actually the birth and development of the excellent security protocol - the SSL.

Privacy, Integrity, it’s all there!

Security means many things. Privacy for example, by privacy, you mean encryption and integrity - it's hard but it's not impossible. SSL also provides integrity by using hash functions to sign your stuff.

SSL handles for you, privacy, so no one can know what you send back and forth to websites. This is however only one expect of security, what if someone wants to manipulate the packets you send? In addition SSL works in extremely hostile environments where someone tries to take control and pretend he is you and make the SSL handshake as if he is you.

It’s not just Netscape it’s the whole world!

So they saw that this security thingy that they are up to (SSL) is so much mind-blowing and all encompassing that they decided, hey this is not our responsibility I mean, this should be the whole world responsibility, so they would do what every sane developer like you and me would do, they moved it to the IETF to handle this ;).

Now what is the IETF you ask? Let me tell you this, these are the same guys that handle, TCP, the same guys that handle IP, the same guys that handle PGP. So it makes lot of sense they would be handling also SSL ain't it so?!


One of the first thing this group has done was renaming the protocol name, this was an *awful* decision, they rename it to TLS to make sure you see it’s about security for transport, however the term SSL is still being used, OpenSSL for example.

So some people say SSL some say TLS but all actually mean in most cases the same, yeah sure some might say SSL and mean the old SSL prior to TLS but in most cases both are used interchangeably.

Note that nobody is practically using the latest (old) SSL version but only the newer actual TLS and you should not be using any prior versions due to security risks.

Symmetric - aka secret codes

Symmetric encryption has been here for years, they were just called secret codes, you don’t use the old secret codes because they are weak, today you use much stronger and longer secret codes because they are stronger. But modern symmetric security is pretty strong, the only problem is - how do you exchange those secret codes - via the internet

How to share secret codes via internet?

So now the question is, how do you share secret codes via the internet? Without meeting in person with people? For that we have Diffie-Hellman key exchange. It’s actually pretty straight forward and involves picking two numbers, raising an arbitrary chosen number by power and then doing mod those original numbers. And both of you guys get the same number - the same symmetric key. I tell you the result I don’t tell you what number I have chosen to raise by power of one of the numbers we have chosen and thus we share some other numbers and not the numbers we use for symmetric encryption keys. And only me and you can deduce these symmetric keys. For more information see:

Browser and keys

When your browser connects to the internet it tells the server, hey I know how to do Diffie Hellman key exchange, I know how to do DSA symmetric encryption, basically, your browser, tells the server his set of known security cpaabilities, and they choose then which security protocol to use.

PKI (the problem with DIFFIE Hellman)

Public Key Infrastructure

I can think you do the key exchange with me and you can think I do the key exchange with you while there is someone in middle key exchanging for both of us, he can eavesdrop and know exactly what we send each other.

This is what we use when we use actually HTTPS. You combine both TLS and PKI in order to have HTTPS. The problem with the previous Diffie Hellman is that how do you trust that the person who gave you the number is actually who he claims he is? The way to trust him is to move the trust problem one layer beyond into certificate owners who are hardwired to your browser, and they point to certificate owners who they trust, and so you should trust as well.

So with the certificate authority I don’t only send you some data I also sign it with the public key and I have a certificate from the certificate authority that this is my public key so you can trust I am who I say I am.

And this my friends is the basis of https.

See you next time in part 2.


Popular posts from this blog

Dev OnCall Patterns

Introduction Being On-Call is not easy. So does writing software. Being On-Call is not just a magic solution, anyone who has been On-Call can tell you that, it's a stressful, you could be woken up at the middle of the night, and be undress stress, there are way's to mitigate that. White having software developers as On-Calls has its benefits, in order to preserve the benefits you should take special measurements in order to mitigate the stress and lack of sleep missing work-life balance that comes along with it. Many software developers can tell you that even if they were not being contacted the thought of being available 24/7 had its toll on them. But on the contrary a software developer who is an On-Call's gains many insights into troubleshooting, responsibility and deeper understanding of the code that he and his peers wrote. Being an On-Call all has become a natural part of software development. Please note I do not call software development software engineering b

Recursion Trees Primer

Recursion trees. Controlling the fundamentals stands at the cornerstone of controlling a topic.  In our case in order to be a good developer its not enough or even not at all important to control the latest Java/JavaScript/big data technology but what's really important is the basics.  And the basics in computer science are maths, stats, algorithms and computer structure. Steve wosniak the co-founder of apple said the same, what gave him his relative advantage was his deep understanding of programming and computer structure, this is what gave him the ability to create computer's which are less costly than the competitors (not that there were many) and by the way there were 3 founders to apple company one responsible for the technical side, one for the product and sales (Steve Jobs) and the third responsible for the company structure and growth, each of the three extremely important, it was not only the two Steve's but that's a topic for another episode. And with t

Building Secure and Reliable Systems

A recent book was published this year by Google about site reliability and security engineering, I would like to provide you a brief overview of it and incorporate my own analysis and thoughts about this subject while saving you some time from reading, at least part of it. Take a few of your customers and ask them, what are the top 5 features on my product that you like.  The answer that you are likely to get is, I really like how polished the UI is, or the daily report I get by mail is just fantastic, or since I started using your product I was able to save one hour a day my productivity got up and the share /chat button on document that you added recently is doing a great job. Your customers are very unlikely to answer the question of what top 5 features of my product do you like with I really like its security or I really like that we lost no chat messages since I started using it.  No real customer will even think of it, moreover, assuming you did a very good job, they won&#