Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How I learned to understand HTTPS

How I learned to understand HTTPS

HTTPS explained easy way, suitable for non technical audience.

Giuseppe Mazzapica

September 27, 2018
Tweet

More Decks by Giuseppe Mazzapica

Other Decks in Technology

Transcript

  1. WP Meetup Catania 27 Settembre 2018 Giuseppe Mazzapica WordPress Engineer

    at Inpsyde Open Source Lover & Maintainer WordPress Stack Exchange Moderator WordCamp Speaker @gmazzap gmazzap.me
  2. WP Meetup Catania 27 Settembre 2018 Servers are computers. Internet

    is not made of clouds, but it is made of servers Computers «talk» each other, in many different ways.
  3. WP Meetup Catania 27 Settembre 2018 Various «languages» used by

    computers are called «protocols». Computers use different protocols for different purposes. The protocol used to «exchange» web pages data is HTTP: HyperText Transfer Protocol GET /awesome-cat.png Host: emergencykittens.tumblr.com 200 OK Content-Length: 120321 Content-Type: image/png Kg£™ä€´øîÙƺo{›ùêxãøönÊ"w¤ ¢\9’wyŒ@ÉP úÔÀ|ðó¦–× ¢\9’wyŒ@ 1o:ÓËÉ#÷.‹@ô1ÀàÅtlD 2N`+0;HA®þOÇÝÊ@$#W&Y—ÀOà@˜ ¦²‹ úÔÀ úÔÀ É1¼^„«&óÀÌËÐKÅqƺo{›ùêxãøönÊ"w¤ ¢\9’wy úÔÀ úÔÀ úÔÀÙƺo{›
  4. WP Meetup Catania 27 Settembre 2018 Communications among computers, are

    not that different from phone communications among humans: there is always the chance someone (more or less ill-intentioned) is listening...
  5. WP Meetup Catania 27 Settembre 2018 The oldest way to

    defend ourself from anyone «eavesdropping» is to «speak in code». Modern cryptography used by computers is asymmetric: the encryption key and the decryption key are two different keys.
  6. WP Meetup Catania 27 Settembre 2018 private key public key

    The sender knows only the public key and uses it for the encryption Original Data Encrypted Data Decrypted Data (same as original) Asymmetric Cryptography The keys «couple» is generated by the recipient
  7. WP Meetup Catania 27 Settembre 2018 For asymmetric cryptography, who

    sends the message has to know the public key of the recipient. When computers communicate via HTTP, the public key of dei server è resa nota tramite un certificato. The cryptographic protol used to encrypt HTTP coomuncation is TSL, that is the successor of SSL, and certicates connecting a domain with a public key, enabling the encrypted communication, are often called «SSL certificates»
  8. WP Meetup Catania 27 Settembre 2018 How I learned to

    understand... When HTTP communications are encrypted, thanks to an SSL certificate, we talk about HTTPS: that basically is a more «secure» variant of HTTP thanks to TSL encryption.
  9. WP Meetup Catania 27 Settembre 2018 When we connect to

    a server which has a SSL certificate even the most «basic») communication change from HTTP to HTTPS. The browser shows a «padlock» next to the address. With HTTPS we are always sure that: The website we are seeing is really the one that the URL in the address bar is showing All sent and received data is encrypted, so can’t be eavesdropped nor can be compromised.
  10. WP Meetup Catania 27 Settembre 2018 Up until few years

    ago SSL certificates were for sale, so only who handled sensible data (passwords, credit cards...) were bound to have them. In 2018 for first time the number of websites using HTTPS exceeded the number of websites using just HTTP. Today a «basic» SSL certicate (DV) can be obtained for free thanks to the not-for-profit authority Let’s Encrypt
  11. WP Meetup Catania 27 Settembre 2018 Considering an SSL certificate

    is today completely free and easy to obtain every website should have one. Google Chrome, most popular browser in the world, since 2017 shows a «Not secure» warning for websites not using HTTPS.
  12. WP Meetup Catania 27 Settembre 2018 A «basic» certificate (DV),

    besides allowing encrypted data exchange guarantees the authenticity of the domain, in fact «DV» stands for «Domain Validation». It is true that a missing certificate means missing security, but presence of a DV certificate does not mean «full» security. Basically, a DV SSL certificate garantees the connection sicurity, but do not guarantee anything about the certificate holder.
  13. WP Meetup Catania 27 Settembre 2018 There are "advanced" SSL

    certificates that not only guarantee the connection security (no more than a DV certificate), but also guarantee for the owner of the certificate. These are the OV (Organization Validation) and EV (Extended Validation) certificates. Those are not for free (quite expensive, actually), and the procedure for getting them takes time. The browser tell us in case of an EV certificate.