HTTPS
- HTTPS uses either SSL (Secure sockets layer) or TLS (Transport layer security)
- TLS is successor of SSL
- Protocol versions : SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2.
- Internally, TLS 1.0/1.1/1.2 are SSL 3.1/3.2/3.3 respectively
- To check the protocol version a website uses, you can go to chrome dev tools > security tab
Setup HTTPS
- You need to purchase SSL certificate from Certificate Authority (CA)
- They identify and verify you and then issue a certificate
- They provide SSL Certificate, Intermediate and Root Certificate and CA bundle Files
- You need to install this certificate on your server
- The default https port number is 443 (compared to 80 for HTTP)
Example files from GoDaddy Certificate Authority
Public Key Certificate
X.509
- It is a standard to define format of digital certificates
- Following are in X.509 format:
- Domain Certificate
- Intermediate Certificate
- Certificate Bundle Chain
- Root Certificate
Setup in Node.js server
var https = require('https');
var fs = require('fs');
var https_options = {
key: fs.readFileSync("/path/to/private.key"),
cert: fs.readFileSync("/path/to/your_domain_name.crt"),
ca: [
fs.readFileSync('path/to/CA_root.crt'),
fs.readFileSync('path/to/ca_bundle_certificate.crt')
]
};
https.createServer(options, function (req, res) {
res.writeHead(200);
res.end("Welcome to Node.js HTTPS Server");
}).listen(8443)
Setup in NGINX (as reverse proxy)
server {
server_name _;
listen 80 default_server;
return 404;
}
server {
listen 443 ssl;
server_name _;
ssl_certificate /etc/nginx/ssl/nginx.crt; # Path to your_domain_name.crt
ssl_certificate_key /etc/nginx/ssl/nginx.key; # Path to private.key
return 404;
}
HTTPS in practice
- In deployment it is suggested to not to enable https on your server
- Instead generally deployment infrastructure supports a reverse proxy which handles SSL/TLS termination
- for example, NGINX can be used as a reverse proxy to handle https and route the request to your http server
SSL/TLS Termination
- SSL/TLS Terminators
- Load balancer
- Reverse proxy
- API gateway
- Browser “encrypts” HTTPS traffic ⇒ SSL/TLS Terminator
- SSL/TLS terminator “decrypts” ⇒ traffic sent internally in plain HTTP to the backend.
- Hence it is called SSL/TLS Termination
Public Key Infrastructure
- aka PKI
- Manages digital certificates
- Uses of PKI
- Encryption in E-mail via OpenPGP or S/MIME
- Authentication in Browsers via SSL/TLS
- Involves
- Certificate Authority (CA)
- Registration Authority (RA)
- Central Directory
- Certificate Management System
- Certificate Policy
PKCS
- Public Key Cryptography Standards
- Created by RSA labs
- Notable Standards:
- PKCS #1: RSA Cryptography Standard
- Used for secure data transmission.
- PKCS #3: Diffie–Hellman Key Agreement Standard
- PKCS #7: Cryptographic Message Syntax Standard
- Sign and encrypt message under PKI
- PKCS #10: Certification Request Standard
- Used in Certificate Signing Requests (CSRs)
- PKCS #12: Personal Information Exchange Syntax Standard
File Extensions
- https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/
- https://stackoverflow.com/questions/63195304/difference-between-pem-crt-key-files
- Encodings:
- DER
- Distinguished Encoding Rules
- Uses Binary encoding
- Used for X.509 certs, private keys
- extensions used:
.der, .cer, crt, .key
- PEM
- Privacy Enhanced Mail
- Uses Base64 encoding of Binary Data
- Developed for easy transmission of DER Binary data via Base64 encoding
- Used for X.509 certs, CSRs, crypto keys
- Has header and footer
- Example Header:
-----BEGIN CERTIFICATE-----
- Payload: Base64 encoded binary data
- Example Footer:
-----END CERTIFICATE-----
- extensions used:
.pem, .cer, .crt, .key
.cer or .crt
- stands for certificate
- It can be PEM or DER encoded
.key
- stores private key
- It can be PEM or DER encoded
.p12
- PKCS#12
- has public+private key together
.p10 or .csr
- PKCS #10
- Certificate Signing Request