Skip to main content

This page is fully generated by ChatGPT, most of them I review and alter but not this one

Table of Contents

TODO

SSL and HTTPS Overview

What is SSL/TLS?

  • SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols designed to secure communication over a network.
  • TLS is the modern, more secure version of SSL, but the term "SSL" is still commonly used to refer to both.
  • SSL/TLS ensures:
    • Encryption: Protects data from being intercepted or read by unauthorized parties.
    • Authentication: Verifies the identity of the server (and optionally the client).
    • Integrity: Ensures that data is not altered during transmission.

What is HTTPS?

  • HTTPS (Hypertext Transfer Protocol Secure) is HTTP with SSL/TLS encryption.
  • It ensures secure communication between a client (e.g., browser) and a server (e.g., website).
  • HTTPS is widely used for websites to protect sensitive data like passwords, credit card numbers, and personal information.

SSL/TLS Handshake Flow

  1. Client Hello:

    • The client sends a "hello" message to the server, including:
      • Supported cipher suites (encryption algorithms).
      • A randomly generated value (client random).

  2. Server Hello:

    • The server responds with:
      • Its own randomly generated value (server random).
      • Its SSL/TLS certificate, which contains the server's public key.

  3. Certificate Verification:

    • The client verifies the server's certificate using a trusted Certificate Authority (CA).

  4. Key Exchange:

    • The client generates a pre-master key and encrypts it using the server's public key.
    • The server decrypts the pre-master key using its private key.

  5. Session Key Derivation:

    • Both the client and server derive the master key (session key) from the pre-master key, client random, and server random.

  6. Secure Communication:

    • All subsequent communication is encrypted using the session key (symmetric encryption).

Key Concepts

  • Public Key Infrastructure (PKI):

    • SSL/TLS relies on PKI, where a trusted Certificate Authority (CA) issues certificates to verify server identities.

  • Certificates:

    • Certificates are digital documents that bind a public key to an entity (e.g., a website).
    • Certificates are issued by trusted CAs and have an expiration date.

  • Symmetric vs. Asymmetric Encryption:

    • Asymmetric Encryption: Used during the handshake (e.g., RSA, ECDSA).
    • Symmetric Encryption: Used for the actual data transfer (e.g., AES).

  • Forward Secrecy:

    • Ensures that even if the server's private key is compromised, past sessions cannot be decrypted.
    • Achieved using ephemeral key exchange algorithms like DHE or ECDHE.

Benefits of HTTPS

  1. Data Security:
    • Encrypts data in transit, preventing eavesdropping and tampering.
  2. Authentication:
    • Verifies the server's identity, ensuring users connect to the intended website.
  3. SEO Boost:
    • Search engines like Google prioritize HTTPS websites in search rankings.
  4. Browser Trust:
    • Modern browsers display warnings for non-HTTPS websites, encouraging users to avoid them.

Common Use Cases

  • Websites:
    • Protect sensitive user data like login credentials and payment information.
  • APIs:
    • Secure communication between clients and servers in REST or GraphQL APIs.
  • IoT Devices:
    • Encrypt data sent between IoT devices and cloud services.
  • Load Balancers:
    • Perform SSL/TLS termination to offload encryption/decryption from backend servers.

Preventing MITM Attacks

  • Use HTTPS:
    • Encrypts communication and validates the server's identity.
  • DNSSEC:
    • Ensures DNS responses are authentic and not tampered with.
  • Certificate Pinning:
    • Verifies that the server's certificate matches a known, trusted certificate.

Key AWS Services for SSL/TLS

  1. AWS Certificate Manager (ACM):
    • Simplifies the provisioning and management of SSL/TLS certificates.
  2. Elastic Load Balancers (ALB/NLB):
    • Perform SSL/TLS termination for backend services.
  3. CloudFront:
    • Distributes content securely using HTTPS.
  4. Route 53:
    • Supports DNSSEC for secure DNS resolution.

Summary

  • SSL/TLS is the backbone of secure communication on the internet, providing encryption, authentication, and integrity.
  • HTTPS, powered by SSL/TLS, is essential for protecting sensitive data and ensuring trust between clients and servers.
  • AWS services like ACM, ALB, and CloudFront make it easy to implement SSL/TLS in cloud-based architectures.