1. The Little Padlock
"Make sure you see the little padlock icon to verify you are accessing online banking services or e-commerce websites 'securely'," - This is very commonly used cybersecurity advice for layman. But what does the padlock symbolise?
The padlock means you are browsing the particular website using HTTPS rather than HTTP. HTTPS is simply means HTTP on SSL (Secure Socket Layer). SSL can be used to secure many other protocols, not limited to HTTP, including SFTP, SSH, IMAPS, POP3S, etc.
How does SSL Secure the Communication Session?
Confidentiality. Network traffics on SSL are encrypted using a secret key. The establishment of this secret key is performed using public-key cryptography so that only intended parties possess the secret key and are the only one that can read the content of the session.
Authenticity. A digital certificate is issued by a certificate authority (CA) to whomever is providing the service. This certificate is a claim that the identity of the organisation/person ties to the domain name, enabling end-user to verify they are communicating with the authenticated server.
Non-repudiation. The combination of confidentiality and authenticity establish non-repudiation.
Drawback of SSL
SSL only provides communication security, it does not provide security to data at rest. The largest drawback of SSL is still users' understanding of digital certificate. It is very common that user do not check the digital certificate to verify the authenticity of the server and ignore security warning such as certification expiry.
Do users understand security warnings?
Can users differentiate them if I will to perform a domain-in-the-middle attack?
2. The Protocol
Now we will take a look into the protocol design of SSL (version 3.0). TLS (Transport Layer Security, RFC 2246) was introduced lately as a continuum of SSL development. The current version 1.0 of TLS is very similar to SSL 3.0 with minor tweaks. As the name suggested, SSL provides security by its presence between the transport and application layer. It also means that SSL can provide security to any application layer protocol and not only HTTP which all of us are already so familiar with.
There are two layers involves in a SSL architecture, the record protocol provides a secure and reliable channel to the upper layer.
The record protocol carries application and manages data in sessions created by the handshake protocol.
Among all SSL protocols at the upper layer, the handshake protocol is the most important one, and the other two provides more as a support facility.
SSL uses secret key to provide data origin authentication, integrity and encryption to the application datagram. The record protocols uses this secret key, and it's the handshake protocol that establish it.
The SSL Handshake protocol
Message 1: Client --> Server
Client initiates connection;
Client sends its SSL/TLS version number, list of cipher suites, and client nonce.
Message 2: Server --> Client
Server sends SSL/TLS version number;
Server sends selected cipher from client's cipher suites;
Server sends certificate message, allowing client to validate server's public key; and
A server nonce and session ID.
Message 3: Client --> Server
Client sends an encrypted pre-master-secret key using server's public key;
Client sends a generated MAC (message authentication code) based on all messages sent so far using the computed master-secret.
Message 4: Server --> Client
The remaining support protocol, alert protocol messages any error messages, fatal error and warning, and change cipher specification protocol can be used to change recently agreed cipher suite.
3. HTTPS on Apache
Now I will be demonstrating how you can add SSL module to an Apache server to secure web sessions connected to your web site.
In my set up, I've a Ubuntu as my client, and Apache running on CentOS.
First, install the SSL module (#yum install mod_ssl) on the web server, and generate an asymmetric key pair:
The key generated via this command is the private key. Ensure it is stored in a secured environment with access control. Using this private key, generate a digital certificate request:
With the certificate request, I will need to submit to a certificate authority for a digital certificate. For this case, I generated a digital certificate using my private certificate authority.
With private key and digital certificate on hand, configure the Apache SSL configuration file (/etc/httpd/conf.d/ssl) with parameter SSLCertificateFile pointing to the digital certificate and SSLCertificateKeyFile point to the private key.
Restart the Apache server and I can now access my web site via HTTPS!
Now all connection to my web site are encrypted but not authenticated because it's signed by an unrecognised certificate authority. Users are warned in the beginning before they enter the web site, but do they understand the risk?