HTTPS, SSL, TLS, VPNs — a cursory glance at cybersecurity protocols.

Yamini Kumawat
Aug 8, 2017 · 3 min read
https://en.wikipedia.org/wiki/HTTPS#/media/File:Internet2.jpg

We’ve talked about different types of protocols for a web request — the most common one being an HTTP (Hypertext Transfer Protocol) request.

First introduced in the 1994, another type of HTTP protocol that is commonly used is HTTPS.

HTTP helps transfer binary data in a multidirectional manner. With the introduction of SSL and then TLS (Transport Layer Security), the security connection and encryption protocols are set in place prior to the transfer of data. TLS is actually the protocol implemented presently but it is still colloquially referred to as SSL.

HTTPS utilizes an SSL, Secure Sockets Layer, over the web request interaction between your browser and the server hosting the website data. HTTP operates at the application layer and the conversation taking place between the browser and server is encrypted whilst sending, decrypted upon receipt, until the interaction is completed.

“It provides for [the web request and response interaction] in encrypted form to provide security for sensitive data. You’ve probably seen this on webpages where the url begins with HTTPS, rather than simple HTTP.

(godaddy)

An SSL certificate must be obtained by a website in order to properly secure a connection between the website and the browser. An SSL certificate “is installed on a web server and serves two functions:

  • It authenticates the identity of the website (this guarantees visitors that they’re not on a bogus site)
  • It encrypts the data that’s being transmitted”.
(Verisign)

The process of encrypting information into an unreadable format and then only decrypting it upon receipt is done via a decryption key.

Secure Sockets Layer is utilized by various online businesses to ensure that a client’s sensitive information is not accessed or tampered with by hackers or identity thieves. It allows for a private conversation between the two parties.

When we were working on the rack labs and creating locally hosted webpages, the port default was 9292 and when utilizing shotgun, the port default was 9393. The port default for HTTPS is 443 and for HTTP is 80. Because HTTP is not encrypted, any middleman can intercept the conversation taking place. Hackers are more easily able to manipulate key components of a webpage and cause damage to the page as well as potential users of the website. HTTPS addresses this common security concern via the SSL and additionally implements the ability to ensure that the “future disclosure of encryption keys cannot be used to decrypt any TLS communications recorded in the past.

SSL v3.0 vulnerability

Similar to SSL, TLS is a Transport Layer Security protocol. SSL v3.0 is the predecessor to TLS v1.0. SSL v3.0 had a major security concern which ultimately led to its demise. This was discovered in September 2014 by a team at Google and dubbed “POODLE”.

In fact, prior to the discovery of this vulnerability, the U.S. government “had already mandated that SSL v3 not be used for sensitive government communications or for HIPAA-compliant communications”.

(More about CBC and POODLE in my next post!)

Link to POODLE attack paper by Google Security Advisory team: https://www.openssl.org/~bodo/ssl-poodle.pdf

VPN

In contrast to HTTPS (which is implemented by the website), a VPN, Virtual Private Network, is a server software that allows for any data being transmitted to be encrypted — regardless of whether the website being accessed has an SSL layer on top of its HTTP protocol.

Resources

https://en.wikipedia.org/wiki/HTTPS

https://www.verisign.com/en_US/website-presence/website-optimization/ssl-certificates/index.xhtml

https://www.godaddy.com/help/what-is-an-ssl-certificate-542

https://security.stackexchange.com/questions/5126/whats-the-difference-between-ssl-tls-and-https

https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/

https://luxsci.com/blog/ssl-versus-tls-whats-the-difference.html

Yamini Kumawat

Written by

Learning and explaining Ruby, JavaScript, React // Flatiron and Emory Alum // coming soon: accessun

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade