A lot of interesting knowledge can be learned from computer networks and the internet, at least a site or blog owner knows what SSL Security Secure Socket Layer (SSL), the HTTP protocol and the HTTPS protocol. The discussion of these three points may give you a headache, but there is nothing wrong with knowing basic knowledge that is very important and might come in handy someday. Let’s learn!
What is SSL Security HTTPS Protocol
What is SSL Security?
The basic definition of Secure Sockets Layer (SSL) is a computer network protocol that manages server authentication, client authentication and encrypted communication between servers and clients. To perform tasks, SSL uses a combination of public-key and symmetric-key encryption to protect a connection between two machines – usually a web or mail server and a client machine – communicating via the internet and the internal network.
Taking the OSI reference model as context, SSL runs over the TCP / IP protocol – which is responsible for carrying and routing data across a network – and under higher level protocols such as HTTP and IMAP, encrypting data from network connections in the application layer of a series of internet protocols. The term “sockets” refers to the sockets method that passes data back and forth between client and server programs in a network, or between layers of programs on the same computer.
Meanwhile the Transport Layer Security (TLS) protocol evolved from SSL and has largely been replaced by it, nevertheless the terms SSL or SSL / TLS are still generally used. Until recently, SSL was often used to refer to TLS. The SSL / TLS combination is currently the most widely deployed security protocol and is found in a variety of applications such as web browsers, email and any situation where secure data is exchanged over the network, whether it be file transfers, VPN connections, instant messages and voice via IP.
After knowing what SSL Security is, it is interesting to discuss the history of the SSL protocol which was developed by Netscape Communications in the 90s. At that time, the company wanted to encrypt data in transit between the Netscape Navigator browser and a web server on the internet to ensure confidential data – such as credit card numbers – is protected. Version 1.0 was never released to the public, while version 2.0 was officially released in February 1995 even though it had a number of security deficiencies
Meanwhile, SSL version 3.0 was released in 1996 and underwent a complete redesign. Even though it was never used as a formal standard, the draft SSL 3.0 in 1996 was actually published by the IETF as a historic document in RFC 6101. Thus this version became the de facto standard for providing security of communications over the internet.
After the IETF officially took over the SSL protocol to standardize it through an open process, SSL version 3.1 was later released as Transport Layer Security 1.0 and introduced various security updates to reduce weaknesses that were found in previous versions. The name change was deliberately made to avoid the slightest bit of legal trouble with Netscape.
A lot of attacks against SSL are focused on implementation issues, but the POODLE vulnerability is a known flaw in the SSL 3.0 protocol. These disabilities cannot be ignored, they have a negative impact. It seems to give someone who is not responsible for decrypting confidential information such as cookie authentication.
IETF’s TLS 1.0 is not vulnerable to such attacks because it has determined that all byte layers or byte padding must have the same value and be verified. Other important things that distinguish between SSL and TLS that make TLS known as a more secure and efficient protocol are message authentication, key material generation and support for password sequences with TLS which supports newer and more secure algorithms. Until now, the IETF has released the latest version, namely TLS 1.2.
Learning how the SSL protocol works is tricky. Of course, this protocol consists of two sub-protocols, namely record and handshake. Both allow the client to confirm the server and establish an encrypted SSL connection. When the server is confirmed, the client and server establish a shared key and password setting to encrypt the information exchanged during the session. This ensures confidentiality and integrity of data. At this stage the user cannot see directly with the naked eye.
What is the HTTP protocol?
After understanding what SSL Security is, we will then discuss the http protocol. The term HTTP is often seen in the web browser page column and many people still don’t know its basic meaning. As reported from the wikipedia page, HTTP stands for Hypertext Transfer Protocol, which is a set of rules for transferring files such as text, graphics, sound, video and multimedia in cyberspace, aka the World Wide Web.
When internet users open a web browser, they are indirectly taking advantage of HTTP. For additional information, HTTP is an application protocol running on top of the TCP / IP protocol suite which is considered the foundation protocol for the internet.
The concept of HTTP includes the idea that files can contain references or pointers to other files which are then strictly selected. The selection results will issue additional transfer requests. Each web server machine contains an HTTP daemon, which is a program designed to wait for multiple HTTP requests and handle them as they arrive.
A web browser is an HTTP client that sends various requests to the server machine. When a browser user enters a file request such as opening a URL or clicking a hypertext link, the browser builds the HTTP request and sends it to the Internet Protocol address (IP address). The HTTP daemon on the server machine will receive the request and send it back to the browser. Now the development of HTTP has reached version 1.1.
What is the HTTPS protocol?
HTTPS – short for Hypertext Transfer Protocol Secure – is the use of Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sub-layer below the regular HTTP application layer. HTTPS encrypts and decrypts page requests, as well as pages returned by the web server. The use of HTTPS aims to protect confidential data theft. As reported by the wikipedia page, HTTPS was developed by Netscape.
Both HTTPS and SSL support the use of X.509 digital certificates from the server. Meanwhile HTTPS uses port 443 instead of HTTP port 80 in interacting with lower layers, namely TCP / IP. In a case, a user visits a site to view an online catalog. When ready to place an order, it will go to a web page with a Uniform Resource Locator (URL) starting at https: //. When you click the “Send” button to send the page back to the catalog, the browser’s HTTPS layer will encrypt it.
Official statements received from the server will travel in encrypted form, come with https: // URL, and can be decrypted by the web browser’s HTTPS sublayer. The effectiveness of HTTPS can be limited by poor implementation of browser or server devices or lack of support for some algorithms. Although HTTPS protects data as it passes between the server and the client, when the data is decrypted at its destination, the next level of security is only at the level of the host computer.
Thus a discussion of what SSL Security is, the http protocol and the https protocol. Based on the above understanding, it is rather difficult for beginners to get to know and learn more closely about the Secure Socket Layer (SSL), HTTP protocol and HTTPS protocol. Of course, these three elements have a real role in providing data security as long as they are connected to the internet network.
Source : Apa Itu SSL Security