Categories
Systems Administration

Why You Should Secure by Default

There are many different types of connections and protocols for establishing them. The most common connection uses HTTP or HTTPS, which stands for Hyper Text Transfer Protocol. In HTTPS, the added S stands for secure. These protocols allow users and web sites to transfer data. HTTP/S connections have a lot in common, and these commonalities are what makes HTTP/S different from other protocols.

Attributes of HTTP/S

HTTP/S connections are stateless. Meaning the server does not keep track of session data associated with clients each time they connect. Each time a user clicks a link, it is like the web client and web server are meeting each other for the first time.

Request-Response Cycle

All HTTP/S connections function using a request-response cycle. For every request method a web client sends, a web server sends a corresponding response method. Each method includes a status line, header, and a body. The info in each of these three components depends on the type of method. There are many methods to choose from depending on the purpose of the client and server relationship.

Request-Response Cycle – made by Kenneth Carnes
The Advantage of HTTPS

The difference between HTTP and HTTPS is security. HTTPS uses the TLS handshake to offer authentication, encryption, and integrity. Many users do not realize is how easily hackers can eavesdrop, forge messages, and steal data from a connection that is not secure. Hacking tools are free and easy to use. Many hackers can start hacking HTTP with hardly any resources. Some of the biggest data breaches occur because of the simplest mistakes. It really is just a matter of being targeted.

HTTP vs. HTTPS – made by Kenneth Carnes

Authentication is the process of verifying an identity. Airport security authenticates passengers by checking passports before they enter the terminals. HTTPS provides authentication by way of digital certificates. The domain owner of a website can purchase a certificate from a trusted third party called a Certificate Authority. When an applicant tries to purchase a digital certificate, the CA must check the legitimacy of the applicant.


The requirements for checking legitimacy can be extensive and are established by the CA/B, an organization of Certificate Authority and Browser representatives. Their main goal is to prevent phishing and fraud attacks that use digital certificates.


HTTPS also provides data encryption. There are many ways of encrypting data in the digital world. Encrypting data for HTTPS is the process of converting human-readable data to cipher text while it is traveling to the recipient. Cipher text is not human-readable. Not if but when a hacker intercepts data, it takes exponentially more effort to decrypt it.

Lastly, HTTPS provides data integrity. When a client downloads data from a website, provides a message digest, a string of characters, generated using a hashing algorithm. The string of characters is mathematically related to the data the client wants to download. When the client finishes downloading the data on their end, they can generate their own message digest with the same hashing algorithm. If the message digests match, this indicates that the data was not altered while in transit.


Originally, HTTPS used the SSL handshake. In fact, many in the industry still use the term SSL when talking about TLS. The protocols are very similar. The main reason the name changed was because of a change in ownership.


Conclusion

Not every website needs to use HTTPS. The need for security depends on whether sensitive data is being transferred. Still, most users are too busy to worry about web security and will often send sensitive info over insecure connections unknowingly. It really is up to web site owners to provide security for their users. Having secure connections is also good marketing. “Not secure” just sounds bad, and Google has been known to rank insecure websites lower in search results. All of this makes HTTPS a no brainer.

Links

  1. Very interesting read Ken. I was considering setting up my own LAN separated from the household LAN and this provided…

Leave a Reply

Your email address will not be published. Required fields are marked *