Resources for the global digital safety training community.
CreditsLast Updated 2015-04
In this Input session, participants are introduced to HTTPS and SSL connections and how they maintain confidentiality between a user and a server over a network connection.
The purpose of this session is emphasize the importance of HTTPS/SSL because of its ability to reliably authenticate and maintain confidentiality when a user communicates with a website.
HTTP is the HyperText Transfer Protocol. It is the way that a web server communicates information to your browser.
HTTPS is the Secure HyperText Transfer Protocol. It uses a strong encryption system called SSL (Secure Sockets Layer) to create a special encoded connection between your computer and the web server that no one can see inside. HTTPS preserves confidentiality.
A Man-in-the-middle attack is where a malicious individual intercepts your communications and pretends to be your intended destination. This individual will see all your traffic before handing it off to your intended target. MITM spoofs an authentic website in order to violate your confidentiality.
An SSL certificate is a special type of file that a computer like a web server can use to identify itself uniquely. Certificates can be issued by “Certificate Authorities” which are a strong proof that a web server is in fact who it says it is. “Self-signed certificate” are those certificates which are verified by the entity who owns the web address. SSL certificates establish authenticity.
A certificate error is when your browser detects some sort of problem in the certificate identifying a web site; this can indicate that the server is not who it says it is. Certificate errors indicate a website is inauthentic.
“SSL pinning” is a term for certificates your browser trusts in advance without needing to ask a Certificate Authority for its validity.
Using a public access point or an Internet café, you log into a web service that is not protected by HTTPS. Someone on the same network is running Wireshark and sees your username and password as they travel up to the website. The hacker takes the opportunity to log in as you, changing your password and pwn-ing your account.
Your email service provider encrypts your login using SSL (HTTPS), but removes that protection after you have logged in. Government authorities have tapped into the connection at your local service provider or elsewhere, capturing all the traffic and can read the messages you write or receive. The NSA’s XKeyscore system is one example of massive network surveillance that scoops up Internet traffic for analysis.
You visit your bank’s website using https://. As the page loads, you see a certificate error. This is unusual, but you decide to click through anyway and arrive on a page that appears to be authentic. You enter your login information for your account. Later, however, you find out that a malicious organization was running a “man in the middle attack” to capture login credentials of users before sending them to the real bank site. With your information, they can now login to steal your money or they can sell your login details to criminals who will.