<img height="1" width="1" src="https://www.facebook.com/tr?id=1879927395628828&amp;ev=PageView &amp;noscript=1">

Plain HTTP, Postcards and HTTPS - Part 2

 Jun 30, 2017 3:54:55 PM |    Jason White

Screen Shot 2017-06-30 at 3.38.51 PM-1.png

Encryption 101

Let’s face it, cryptography can be a pretty scary topic or task, but it’s an important topic these days. Let’s look at encryption as it relates to web app security (I’ll take on hashing in another blog post another day) on a basic level.

  • Encryption scrambles data and allows those with the appropriate keys/ to unscramble (decrypt) it
  • In symmetric encryption, one or more parties all have the same key (usually a long string of gibberish) which is used for both scrambling and unscrambling.
  • In asymmetric encryption, there are public and private keys. Private keys decrypt and public keys encrypt. Private keys need to be protected very carefully
  • Client (Browser) / Server HTTPS connections go something like this:
  1. The browser and server validate certificates (public keys). In reality, it’s usually just the client that validates the server’s key, but both are possible.
  2. The browser and server exchange keys so they can encrypt data to send to each other.
  3. Data sent is encrypted such that only each end can decrypt it (I did say this was 101)
  4. Each end decrypts the data so it can be viewed, processed, stored etc.

NOTE: Some links will be provided at the bottom of this blog about HTTPS and encryption for those that want more than the 101 bullet points above.

Ever Sent a Postcard?

So, why would https be important in the above scenario and what does it have to do with a postcard? First, for the millennials ... Postcards are forms of snail-mail without envelopes. What you send is written on a single card and sent in the mail, usually with a picture on one side and whatever you write on the other side. Side note, they were (are?) cheaper to send than a ‘letter’ in an envelope. Point is, with a post card, whatever you write can be seen by anyone handling the mail. Same goes for plain http as it goes across the network. The data can be seen by any device across which that request goes.

So,the username and password (which are static) would be exposed in every request in this case … many times per day. This dramatically increases the likelihood it will be viewed or captured along the way. It’s like 1000’s of postcards being sent daily in this case.

Topics: Application Security

Want more of the AsTech Blog? You got it.
Blog subscribers get email updates twice a week.