1 2
play

1 2 Security Authentication Principles 3 4 Hypertext Transfer - PowerPoint PPT Presentation

Jul 06, 2023 •456 likes •603 views

Chapter 18 1 2 Security Authentication Principles 3 4 Hypertext Transfer Cryptography Protocol Secure (HTTPS) 5 6 Security Best Common Practices Threat Vectors 7 Summary Fundamentals of Web Development - 2 nd Ed. Randy Connolly

  1. Chapter 18 1 2 Security Authentication Principles 3 4 Hypertext Transfer Cryptography Protocol Secure (HTTPS) 5 6 Security Best Common Practices Threat Vectors 7 Summary Fundamentals of Web Development - 2 nd Ed. Randy Connolly and Ricardo Hoar

  2. HTTP With a regular HTTP connection, all data is sent as unencrypted pain text. If a hacker intercepts the data, it is easy to read. To transmit data over a secure connection, an additional layer must be used. Secure Sockets Layer ( SSL ) An older Internet protocol that allows for data transmission • between server and client through a secure connection Transport Layer Security ( TLS ) A newer protocol for transferring data via a secure connection. • Often referred to as SSL • Fundamentals of Web Development - 2 nd Ed. Randy Connolly and Ricardo Hoar

  3. HTTPS Secure HTTP HTTPS is the HTTP protocol running on top of the Transport Layer Security (TLS). It’s easy to see from a client’s perspective that a site is secured by the little padlock icons in the URL bar used by most modern browsers. The browser encrypts data being sent to the server and the server then decrypts it The server encrypts data being sent to the browser and the browser then decrypts it Fundamentals of Web Development - 2 nd Ed. Randy Connolly and Ricardo Hoar

  4. HTTPS Secure Handshakes Fundamentals of Web Development - 2 nd Ed. Randy Connolly and Ricardo Hoar

  5. HTTPS Certificates The certificate that is transmitted during the handshake is actually an X.509 certificate, which contains many details including the algorithms used, the domain it was issued for, and some public key information. Fundamentals of Web Development - 2 nd Ed. Randy Connolly and Ricardo Hoar

  6. HTTPS Certificate Authorities A Certificate Authority (CA) allows users to place their trust in the certificate since a trusted, independent third party signs it. Fundamentals of Web Development - 2 nd Ed. Randy Connolly and Ricardo Hoar

  7. HTTPS Self-Signed Certificates Self-signed certificates provide the same level of encryption, but the validity of the server is not confirmed. Fundamentals of Web Development - 2 nd Ed. Randy Connolly and Ricardo Hoar

  8. HTTPS Self-Signed Certificates Self-signed certificates provide the same level of encryption, but the validity of the server is not confirmed. Fundamentals of Web Development - 2 nd Ed. Randy Connolly and Ricardo Hoar

  9. URLs for Secure Connections Request a secure connection: https://webdev.cislabs.uncw.edu Return to a regular connection http://webdev.cislabs.uncw.edu • Requests must be full URLs • Once a secure connection is established, it will remain in that mode until it is reverted. Fundamentals of Web Development - 2 nd Ed. Randy Connolly and Ricardo Hoar

  10. Redirection The server initiates a request from the browser to another URL The header function with the Location: string header('Location: .'); // the current directory header('Location: ../'); // up one directory header('Location: ./admin'); // down one directory header('Location: error.php'); header('Location: https://webdev.cislabs.uncw.edu/~abc123'); Fundamentals of Web Development - 2 nd Ed. Randy Connolly and Ricardo Hoar

  11. HTTPS To use a secure connection on a page, redirect it by using the $_SERVER array. The $_SERVER array contains information about headers and paths, and its values are set by the web server. Index Description HTTPS Returns a non-empty value if the current request is using HTTPS HTTP_HOST Returns the host for the current request REQUEST_URI Returns the Uniform Resource Identifier for the current page. Fundamentals of Web Development - 2 nd Ed. Randy Connolly and Ricardo Hoar

  12. The $_SERVER Array $_SERVER['HTTP_HOST']=webdev.cislabs.uncw.edu $_SERVER['REQUEST_URI']=/~abc1234/file.php A utility file to build an absolute URL using the $_SERVER array: Fundamentals of Web Development - 2 nd Ed. Randy Connolly and Ricardo Hoar

  13. Requiring a Secure Connection require_once 'secure_conn.php'; • Use on any pages that contain sensitive information Fundamentals of Web Development - 2 nd Ed. Randy Connolly and Ricardo Hoar

  14. Reverting to HTTP require_once 'reg_conn.php'; • After a user has logged out for example • Note: There is no $_SERVER['HTTP'] value Fundamentals of Web Development - 2 nd Ed. Randy Connolly and Ricardo Hoar

Recommend

More recommend