Skip to main content

Security Primer Part 1

SSL TLS PKI Primer Part 1

The first browser

In 1995 Netscape corporation has started developing the first browser - Netscape. It would later become Firefox.

They clearly understood that when you browse the internet, then, if the browsing is not secured you (and them) are going to be in big trouble, just think of it, people would steal your credit card, your details make orders on your name, read your personal mail.

So a security solution is required, they hired a great guy (PhD) and he figured out he should create a new security protocol, namely the SSL!.

The rebirth of security

So this guy has come with the SSL protocol, this was, because they figured out nobody is going to trust this browser unless it's really secured.

This doctor created the framework and protocol for the security of this browser, this was actually the birth and development of the excellent security protocol - the SSL.

Privacy, Integrity, it’s all there!

Security means many things. Privacy for example, by privacy, you mean encryption and integrity - it's hard but it's not impossible. SSL also provides integrity by using hash functions to sign your stuff.

SSL handles for you, privacy, so no one can know what you send back and forth to websites. This is however only one expect of security, what if someone wants to manipulate the packets you send? In addition SSL works in extremely hostile environments where someone tries to take control and pretend he is you and make the SSL handshake as if he is you.

It’s not just Netscape it’s the whole world!

So they saw that this security thingy that they are up to (SSL) is so much mind-blowing and all encompassing that they decided, hey this is not our responsibility I mean, this should be the whole world responsibility, so they would do what every sane developer like you and me would do, they moved it to the IETF to handle this ;).

Now what is the IETF you ask? Let me tell you this, these are the same guys that handle, TCP, the same guys that handle IP, the same guys that handle PGP. So it makes lot of sense they would be handling also SSL ain't it so?!

SSL → TLS

One of the first thing this group has done was renaming the protocol name, this was an *awful* decision, they rename it to TLS to make sure you see it’s about security for transport, however the term SSL is still being used, OpenSSL for example.

So some people say SSL some say TLS but all actually mean in most cases the same, yeah sure some might say SSL and mean the old SSL prior to TLS but in most cases both are used interchangeably.

Note that nobody is practically using the latest (old) SSL version but only the newer actual TLS and you should not be using any prior versions due to security risks.

Symmetric - aka secret codes

Symmetric encryption has been here for years, they were just called secret codes, you don’t use the old secret codes because they are weak, today you use much stronger and longer secret codes because they are stronger. But modern symmetric security is pretty strong, the only problem is - how do you exchange those secret codes - via the internet

How to share secret codes via internet?

So now the question is, how do you share secret codes via the internet? Without meeting in person with people? For that we have Diffie-Hellman key exchange. It’s actually pretty straight forward and involves picking two numbers, raising an arbitrary chosen number by power and then doing mod those original numbers. And both of you guys get the same number - the same symmetric key. I tell you the result I don’t tell you what number I have chosen to raise by power of one of the numbers we have chosen and thus we share some other numbers and not the numbers we use for symmetric encryption keys. And only me and you can deduce these symmetric keys. For more information see: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

Browser and keys

When your browser connects to the internet it tells the server, hey I know how to do Diffie Hellman key exchange, I know how to do DSA symmetric encryption, basically, your browser, tells the server his set of known security cpaabilities, and they choose then which security protocol to use.

PKI (the problem with DIFFIE Hellman)

Public Key Infrastructure

I can think you do the key exchange with me and you can think I do the key exchange with you while there is someone in middle key exchanging for both of us, he can eavesdrop and know exactly what we send each other.

This is what we use when we use actually HTTPS. You combine both TLS and PKI in order to have HTTPS. The problem with the previous Diffie Hellman is that how do you trust that the person who gave you the number is actually who he claims he is? The way to trust him is to move the trust problem one layer beyond into certificate owners who are hardwired to your browser, and they point to certificate owners who they trust, and so you should trust as well.

So with the certificate authority I don’t only send you some data I also sign it with the public key and I have a certificate from the certificate authority that this is my public key so you can trust I am who I say I am.

And this my friends is the basis of https.


See you next time in part 2.

Comments

Popular posts from this blog

Dev OnCall Patterns

Introduction Being On-Call is not easy. So does writing software. Being On-Call is not just a magic solution, anyone who has been On-Call can tell you that, it's a stressful, you could be woken up at the middle of the night, and be undress stress, there are way's to mitigate that. White having software developers as On-Calls has its benefits, in order to preserve the benefits you should take special measurements in order to mitigate the stress and lack of sleep missing work-life balance that comes along with it. Many software developers can tell you that even if they were not being contacted the thought of being available 24/7 had its toll on them. But on the contrary a software developer who is an On-Call's gains many insights into troubleshooting, responsibility and deeper understanding of the code that he and his peers wrote. Being an On-Call all has become a natural part of software development. Please note I do not call software development software engineering b

SQL Window functions (OVER, PARTITION_BY, ...)

Introduction When you run an SQL Query you select rows, but what if you want to have a summary per multiple rows, for example you want to get the top basketball for each country, in this case we don't only group by country, but we want also to get the top player for each of the country.  This means we want to group by country and then select the first player.  In standard SQL we do this with joining with same table, but we could also use partition by and windowing functions. For each row the window function is computed across the rows that fall into the same partition as the current row.  Window functions are permitted only in the  SELECT  list and the  ORDER BY  clause of the query They are forbidden elsewhere, such as in  GROUP BY ,  HAVING  and  WHERE  clauses. This is because they logically execute after the processing of those clauses Over, Partition By So in order to do a window we need this input: - How do we want to group the data which windows do we want to have? so  def c

Building Secure and Reliable Systems

A recent book was published this year by Google about site reliability and security engineering, I would like to provide you a brief overview of it and incorporate my own analysis and thoughts about this subject while saving you some time from reading, at least part of it. Take a few of your customers and ask them, what are the top 5 features on my product that you like.  The answer that you are likely to get is, I really like how polished the UI is, or the daily report I get by mail is just fantastic, or since I started using your product I was able to save one hour a day my productivity got up and the share /chat button on document that you added recently is doing a great job. Your customers are very unlikely to answer the question of what top 5 features of my product do you like with I really like its security or I really like that we lost no chat messages since I started using it.  No real customer will even think of it, moreover, assuming you did a very good job, they won&#