Monday, October 28, 2013

SSL Unleashed


In this article, I am going to tell you everything about SSL: What it is, why we need it, its technical and non-technical aspects, etc. This article covers the introduction, SSL certificate, encryption, the process of encryption, and how your browser interacts with and trusts that certificate provided by the website you are visiting.

Existence of SSL

There are basically two aspects of SSL. One is encryption and the second is identification. Encryption is what you do to hide the content of the data sent from one machine to another machine. It is done by changing the content of the data so it looks like garbage that is human-readable but not human-understandable. It is exactly like speaking in a different language with which one person is not familiar. I am Indian; if someone speaks in the Russian language, it is not understandable by me, so to me the Russian language is like an encrypted language. However, if I get a translator and he/she translates that Russian language into Hindi then I can say that now it is understandable by me. So it is said that message has been decrypted.

Identification is related to trust. In the previous scenario, how can I trust the translator who is converting Russian language to Hindi? Is she/he legitimate? Can I trust him/her? In the digital world, it is something like this. Your machine has to trust the SSL certificate (security mechanism) provided by the website via an SSL certificate issuing vendor.

Encryption Explained

To understand the scenario, let’s take an example directly. Let’s suppose you are sending credit card details to the company (any company/online purchasing website, etc.)

So here is the scenario: You are on the left and you will be sending your card details to the other machine. Now there can be two scenarios:

  1. Without SSL
  2. With SSL
Without SSL: In this scenario there can be another machine in your network that can grab the details sent by another machine, as shown in the figure below.

As you know, this scenario is without SSL. In this case, any malicious user lying in the same network can perform an MITM attack or any other attack that contains simple network traffic monitoring and can grab your credit card number or any other personal details. So it is always necessary to use SSL to act as a barrier. It creates a tunneling technique.

With SSL: SSL puts the security mechanism on the network layer before you transfer the data. As the picture below shows, it creates a barrier or tunnel through which the user can transfer any data to the other network. This time the malicious user (lying on the same network) will see the tunnel, so he won’t be able to grab your private data as it passes through the tunnel.

As you can in the picture, a malicious user grabs the data passing through the tunnel, but she/he will get encrypted data, not the real plain text data. So the data can be grabbed but now it has only garbage value for the cracker/hacker, as she/he will never come to know that what exactly the real data was. In order to decrypt the data, the hacker will need an encryption key, which she/he will never get.

Let’s see what HTTPS coding looks like. Here I will give you Twitter ‘s sign-in page source code. As you all know, every sign-in page uses the POST method to pass our data to the server. Every POST method is defined under the form. A form action method is shown in the picture below.

==> Read More

No comments:

Post a Comment

Support : Relax Viet
Copyright © 2013. Security24h - All Rights Reserved
Design by Namkna
Best View Resolution 1024 x 768 pixel