Networks Server 42 21 12/3/13 Goal and Threat Model (2) •  Goal of HTTPS is to secure HTTP •  We focus on network threats: 1.  Eavesdropping client/server traffic 2.  Tampering with client/server traffic 3.  Impersona7ng web servers Network Client Server Computer Networks 43 HTTPS Context •  HTTPS (HTTP Secure) is an add- on –  Means HTTP over SSL/TLS –  SSL (Secure Sockets Layer) precedes TLS (Transport Layer Security) HTTPS Computer Networks HTTP SSL/TLS TCP IP Insert 44 22 12/3/13 HTTPS Context (2) •  SSL came out of Netscape –  SSL2 (flawed) made public in '95 –  SSL3 fixed flaws in '96 •  TLS is the open standard –  TLS 1.0 in '99, 1.1 in '06, 1.2 in '08 •  Mo7vated by secure web commerce –  Slow adop7on, now widespread use –  Can be used by any app, not just HTTP Computer Networks 45 SSL Opera7on •  Protocol provides: 1.  Verifica7on of iden7ty of server (and op7onally client) 2.  Message exchange between the two with confiden7ality, integrity, authen7city and freshness •  Consists of authen7ca7on phase (that sets up encryp7on) followed by data transfer phase Computer Networks 46 23 12/3/13 SSL/TLS Authen7ca7on •  Must allow clients to securely connect to servers not used before –  Client must authen7cate server –  Server typically doesn't iden7fy client •  Uses public key authen7ca7on –  But how does client get server's key? –  With cer7ficates » Computer Networks 47 Cer7ficates •  A cer7ficate binds public key to an iden7ty, e.g., domain –  Distributes public keys when signed by a party you trust –  Commonly in a format called X.509 Signed by CA Computer Networks 48 24 12/3/13 PKI (Public Key Infrastructure) •  Adds hierarchy to cer7ficates to let many par7es issue –  Issuing par7es...
