tags : Web Authentication, Web Development, Security, Infrastructure, Networking
HTTPS
Why HTTPS on static sites?
HTTPS on dynamic sites is obvious but not totally obvious for static sites, here are few good reasons. When using HTTPs, there is still additional metadata below the TCP level, such as DNS queries and SNI. Encrypting those is being worked on, but right now they’re often still plaintext.
- Privacy, Encrypting the content protects to some degree the privacy of the user and what content they are consuming.
- It also prevents mitm from inserting malicious code or modifying the content returned. Something that ISPs and wifi providers can do.
HSTS
HSTS is nothing more than a header sent to the client, telling the client to only use https.
- The origin server can set this header, or the load balancer can set it; doesn’t matter.
- The client can’t tell the difference who set the header also it can’t tell if request was encrypted by LB or by origin server
- Prevents HTTPS to HTTP downgrading attacks ( See moxie0/sslstrip )
History
SSL
was defined by Netscape Communications so they could add HTTPS to Netscape Navigator in 1994.- They adopted the existing work for
X.509
certificates for communicating identity, and a public key that can be used in cryptography.
CA
What?
- When a CA issues you a certificate for a given domain that means anyone who trusts that CA will automatically trust the SSL traffic you encrypt using that certificate.
- CAs are responsible for verifying that you actually own a domain
- Operating system/browsers ship with the public keys of some trusted CA
mTLS
- mTLS: When certificate authentication is done wrong - The GitHub Blog
- What is mTLS? | Mutual TLS | Cloudflare