What is SSL?

SSL (Secure Sockets Layer) is a standard security protocol for establishing encrypted
links between a web server and a browser in an online communication.
The usage of SSL technology ensures that all data transmitted between the web server
and browser remains encrypted.
An SSL certificate is necessary to create SSL connection. You would need to give all
details about the identity of your website and your company as and when you choose to
activate SSL on your web server. Following this, two cryptographic keys are created - a
Private Key and a Public Key.

The next step is the submission of the CSR (Certificate Signing Request), which
is a data file that contains your details as well as your Public Key. The CA
(Certification Authority) would then validate your details. Following successful
authentication of all details, you will be issued SSL certificate. The newly -
issued SSL would be matched to your Private Key. From this point onwards, an
encrypted link is established by your web server betwee n your website and the
customer's web browser.

On the apparent level, the presence of an SSL protocol and an encrypted

session is indicated by the presence of the lock icon in the address bar. A click
on the lock icon displays to a user/customer details ab out your SSL. It's to be
remembered that SSL Certificates are issued to either companies or legally
accountable individuals only after proper authentication.
An SSL Certificate comprises of your domain name, the name of your company
and other things like your address, your city, your state and your country. It
would also show the expiration date of the SSL plus details of the issuing CA.
Whenever a browser initiates a connection with a SSL secured website , it will
first retrieve the site's SSL Certificate to check if it's still valid. It's also verified
that the CA is one that the browser trusts, and also that the certificate is being
used by the website for which it has been issued. If any of these checks fail, a
warning will be displayed to the user, indicating that the website is not secured
by a valid SSL certificate.
What is SSL/TLS Certificate?

SSL or TLS (Transport Layer Security) certificates are data files that bind a
cryptographic key to the details of an organization. When SSL/TLS certificate is
installed on a web server, it enables a secure connection between the web
server and the browser that connects to it. The website's URL is prefixed with
"https" instead of "http" and a padlock is shown on the address bar. If the
website uses an extended validation (EV) certificate, then the browser may also
show a green address bar.
What is SSL used for?

The SSL protocol is used by millions of online business to protect their

customers, ensuring their online transactions remain confidential. A web page
should use encryption when it expects users to submit confidential data,
including personal information, passwords, or credit card details. All web
browsers have the ability to interact with secured sites so long as the site's
certificate is issued by a trusted CA.
Why do I need SSL certificate?

The internet has spawned new global business opportunities for enterprises
conducting online commerce. However, that growth has also attracted
fraudsters and cyber criminals who are ready to exploit any opportunity to st eal
consumer bank account numbers and card details. Any moderately skilled
hacker can easily intercept and read the traffic unless the connection between a
client (e.g. internet browser) and a web server is encrypted.
 How Does SSL Work?

The following graphic explains how SSL Certificate works on a website. The
process of how an 'SSL handshake' takes place is explained below:
 An end-user asks their browser to make a secure connection to a website
(e.g.https://www.example.com)

 The browser obtains the IP address of the site from a DNS server then requests a secure
connection to the website.

 To initiate this secure connection, the browser requests that the server identifies itself by sending
a copy of its SSL certificate to the browser.

 The browser checks the certificate to ensure:

 That it is signed by a trusted CA

 That it is valid - that it has not expired or been revoked

 That it confirms to required security standards on key lengths and other items.

 That the domain listed on the certificate matches the domain that was requested by the user.

 When the browser confirms that the website can be trusted, it creates a symmetric session key
which it encrypts with the public key in the website's certificate. The session key is then sent to the
web server.

 The web server uses its private key to decrypt the symmetric session key.

 The server sends back an acknowledgement that is encrypted with the session key.

 From now on, all data transmitted between the server and the browser is encrypted and secure.

How do I implement SSL on my website?

Implementing SSL for a website is quite easy! A typical installation of SSL

certificate involves the following steps:

Step 1. Acquire SSL certificate

To implement SSL/TLS security on your website, you need to get and install a
certificate from a trusted CA. A trusted CA will have its root certificates
embedded in all major root store programs, meaning the certificate you
purchase will be trusted by the internet browsers and mobile devices used by
your website visitors.
 You should also decide which type of certificate suits you best.

 Single domain certificates allow you to secure one fully qualified domain name (FQDN).
 Wildcard certificates secure a single domain and unlimited subdomains of that domain. For
example, a wildcard certificate for '*.domain.com' could also be used to secure
'payments.domain.com', 'login.domain.com', 'anything-else.domain.com'
 Multi-domain certificates allow website owners to secure multiple, distinct domains on a one
certificate. For example, a single MDC can be used to secure domain-1.com, domain-2.com,
domain-3.co.uk, domain-4.net and so on.
 Extended Validation certificates provide the highest levels of security, trust and customer
conversion for online businesses. Because of this, EV certificates contain a unique differentiator
designed to clearly communicate the trustworthiness of the website to its visitors. Whenever
somebody visits a website that uses an EV SSL, the address bar will turn green in major browsers
such as Internet Explorer, Firefox and Chrome.

Step 2. Activate and install your SSL certificate

When SSL certificate is purchased from a web host, its activation is taken care
of by the web host. The administrator of the website can also activate the SSL
through Web Host Manager (WHM) or cPanel. In the WHM dashboard select
the SSL/TLS option and choose "Generate SSL Certificate and Signing
Request". Next, generate your Private Key and fill out the form for Certificate
Signing Request (CSR). Ensure that you enter your domain name in the box
asking for "Host to make cert for". You will need to send this CSR to your CA in
order to purchase a certificate.
See https://support.comodo.com/index.php?/Knowledgebase/List/Index/19/csr-
generation/ for help to generate a CSR using various webserver types.
Comodo offers detailed guides for installing certificates on various webservers
too. See SSL Certificate Installation on Different Web Servers for a full list. The
guides provides installation instructions for different software types such as
Apache, Apache on Cobalt, BEA, C2Net Stronghold, Ensim, F5, Hsphere, IBM,
Microsoft, Netscape / Sun, Novell, Plesk, SSL Accelerator, Website Pro, and
Zeus.
Step 3. Update Website from HTTP to HTTPS
Your website is now capable of HTTPS! You must now configure you website so
that visitors who access this site get automatically directed to the "HTTPS"
version. Search engine providers like Google are now offering SEO benefits to
SSL pages, so the effort to serve all pages on your site over HTTPS is well
worth it.

Who issues SSL Certificates?

A certificate authority or certification authority (CA) issues SSL certificates. On

receiving an application, the CA verifies two factors: It confirms the legal
identity of the enterprise/company seeking the certificate and whether the
applicant controls the domain mentioned in the certificate. The issued SSL
certificates are chained to a 'trusted root' certificate owned by the CA. Most
popular internet browsers such as Firefox, Chrome, Internet Ex plorer, Microsoft
Edge, and others have these root certificates embedded in their 'certificate
store'. Only if a website certificate chains to a root in its certificate store will the
browser allow a trusted and secure https connection. If a website certif icate
does not chain to a root then the browser will display a warning that the
connection is not trusted.
What details are included in a SSL certificate

SSL Certificates will contain details of whom the certificate has been issued to.
This includes the domain name or common name, serial number; the details of
the issuer; the period of validity - issue date and expiry date; SHA Fingerprints;
subject public key algorithm, subject's public key; certificate signature
algorithm, certificate signature value. Other important details such as the type
of certificate, SSL/TLS version, Perfect Forward Secrecy status, and cipher
suite details are included. Organization validated and extended validation
certificates also contain verified identity information about the o wner of the
website, including organization name, address, city, state and country.
 How can I tell when a site uses SSL?

A web page using SSL will display

 "https://" instead of "http://" before the website's address in the browser's address bar
 A padlock icon in the address bar of the browser before the address.
 With an Extended Validation Certificate, the address bar also shows the registered name of the
company that owns the website, the name of the issuing CA and, an additional green security
indicator.

Transport Layer Security (TLS)

Transport Layer Security (TLS) is a protocol that provides privacy and data
integrity between two communicating applications. It's the most widely
deployed security protocol used today, and is used for Web browsers and
other applications that require data to be securely exchanged over a network,
such as file transfers, VPN connections, instant messaging and voice over IP
TLS evolved from Netscape's Secure Sockets Layer (SSL) protocol and has
largely superseded it, although the terms SSL or SSL/TLS are still sometimes
used. Key differences between SSL and TLS that make TLS a more secure
and efficient protocol are message authentication, key material generation
and the supported ciphersuites, with TLS supporting newer and more secure
algorithms. TLS and SSL are not interoperable, though TLS currently provides
some backward compatibility in order to work with legacy systems.

According to the protocol specification, TLS is composed of two layers: the

TLS Record Protocol and the TLS Handshake Protocol. The Record Protocol
provides connection security, while the Handshake Protocol allows
the server and client to authenticate each other and to
negotiate encryption algorithms and cryptographic keys before any data is
exchanged.

Implementation flaws have always been a big problem with any encryption
technology, and TLS is no exception. The infamous Heartbleed bug was the
result of a surprisingly small bug in a piece of logic that relates
to OpenSSL's implementation of the TLS heartbeatmechanism, which is
designed to keep connections alive even when no data is being transmitted.
Although TLS is not vulnerable to the POODLE attack, because it specifies
that all padding bytes must have the same value and be verified, a variant of
the attack has exploited certain implementations of the TLS protocol that don't
correctly validate encryption padding.

The IETF officially took over the SSL protocol to standardize it with an open
process and released version 3.1 of SSL in 1999 as TLS 1.0. The protocol
was renamed TLS to avoid legal issues with Netscape, which developed the
SSL protocol as a key feature part of its original Web browser.

TLS 1.2 is the current version of the protocol, and as of this writing, the
Transport Layer Security Working Group of the IETF is working on TLS 1.3 to
address the vulnerabilities that have been exposed over the past few years,
reduce the chance of implementation errors and remove features no longer
needed. TLS 1.3 is still a draft and has not been finalized yet, but having an
updated protocol that's faster, more secure and easier to implement is
essential to ensure the privacy and security of information exchange and
maintain trust in the Internet as a whole.
Hypertext Transport Protocol Secure
(HTTPS)
Definition - What does Hypertext Transport Protocol Secure (HTTPS) mean?
Hypertext Transfer Protocol Secure (HTTPS) is a variant of the standard web transfer
protocol (HTTP) that adds a layer of security on the data in transit through a secure
socket layer (SSL) or transport layer security (TLS) protocol connection.
HTTPS enables encrypted communication and secure connection between a remote
user and the primary web server.

Techopedia explains Hypertext Transport Protocol Secure (HTTPS)

HTTPS is primarily designed to provide enhanced security layer over the unsecured
HTTP protocol for sensitive data and transactions such as billing details, credit card
transactions and user login etc. HTTPS encrypts every data packet in transition using
SSL or TLS encryption technique to avoid intermediary hackers and attackers to extract
the content of the data; even if the connection is compromised.
HTTPS is configured and supported by default in most web browsers and initiates a
secure connection automatically if the accessed web servers requests secure
connection. HTTPS works in collaboration with certificate authorities that evaluates the
security certificate of the accessed website.

REMOTE USER-AUTHENTICATION PRINCIPLES

In most computer security contexts, user authentication is the fundamental building
block and the primary line of defense. User authentication is
the basis for most types of access control and for user accountability.RFC 2828 defi
nes user authentication as shown on the following page.
For example, user Alice Toklas could have the user identifier ABTOKLAS. This
information needs to be stored on any server or computer system that Alice
wishes to use and could be known to systemadministrators and other users. A typi-
cal item of authentication information associated with this user ID is a password,
which is kept secret (known only to Alice and to the system). If no one is
able to obtain or guessAlice’s password,
then the combination of Alice’s user ID and password enables administrators to se
t upAlice’s access permissions and audit her activity. Because Alice’s ID
is not secret, system users can sendher e-
mail, but because her password is secret, no one can pretend to be Alice.

The process of verifying an identity claimed by or for a system entity. An

authentication process consists of two steps:
• Identification step: Presenting an identifier to the security system. (Identifie
rs should be assigned carefully, because authenticated identities
are the basis for other security services, such as access controlservice.)
• Verification step: Presenting or generating authentication information that
corroborates the binding between the entity and the identifier.

In essence, identification is the means by which a user provides a claimed iden-

tity to the system; userauthentication is the means of establishing the validity of the
claim. Note that user authentication is distinct from message authentication. As
defined in Chapter 12, message authentication is a procedure that allowscommuni-
cating parties to verify that the contents of a received message
have not been altered and that the source is authentic. This chapter is concerned
solely with user authentication.
There are four general means of authenticating a user’s identity, which can be
used alone or in combination:
• Something the individual knows: Examples
include a password, a personal identification number (PIN), or answers to
a prearranged set of questions.
• Something the individual possesses: Examples include cryptographic ke
ys, electronic keycards,smart cards, and physical keys. This type of authenticator is
referred to as a token.
• Something the individual is (static biometrics): Examples include recog
nition by fingerprint, retina, and face.
• Something the individual does (dynamic biometrics): Examples include r
ecog- nition by voice pattern, handwriting characteristics, and typing rhythm.
All of these methods, properly implemented and used, can provide secure user
authentication. However, eachmethod has problems. An adversary may be able to
guess or steal a password. Similarly, an adversary may be able to forge or steal a
token. A user may forget a password or lose a token. Furthermore, there is a signifi-
cant administrative overhead for managing password and token information on
systems and securing such
information on systems. With respect to biometric authenticators, there are a variet
y of problems, includingdealing with false positives
and false negatives, user acceptance, cost, and convenience. For network-baseduser
authentication, the most important methods involve cryptographic keys and some-
thing the individualknows, such as a password.

Mutual Authentication
An important application area is that of mutual
authentication protocols. Such protocols enablecommunicating parties to satisfy th
emselves mutually about each
other’s identity and to exchange sessionkeys. This topic was examined in Chapter 14.
There, the focus was key distribution. We return to this topic here to consider the
wider implications of authentication.
Central to the problem of authenticated key exchange are two issues: confiden-
tiality and timeliness. To prevent masquerade and to prevent
compromise of session keys, essential identification and session-
key informationmust be communicated in encrypted form. This requires the prior
existence of secret or public keys that
can beused for this purpose. The second issue, timeliness, is important because of the th
reat of
message replays. Suchreplays, at worst, could allow an opponent to compromise a ses-
sion key or successfully impersonate anotherparty.At minimum, a successful replay can
disrupt operations by presenting parties with messages that appeargenuine but are not.
[GONG93] lists the following examples of replay attacks:
• Simple replay: The opponent simply copies a message and replays it later.
• Repetition that can be logged: An opponent can replay a timestamped message
within the valid timewindow.
• Repetition that cannot be detected: This situation could arise because the
original message could have been suppressed and thus did not arrive
at its destination; only the replay message arrives.
• Backward replay without modification: This is a replay back to the message
sender. This attack ispossible if symmetric encryption is used and the sender cannot
easily recognize the difference between messages sent and messages
received on the basis of content.
One approach to coping with replay attacks is to attach a sequence number to
each message used in anauthentication exchange. A new message is accepted only if
its sequence number is in the proper order. Thedifficulty with this approach is that
it requires each party to keep track of the last sequence number for eachclaimant it
has dealt with. Because of this overhead, sequence numbers are generally not used
forauthentication and key exchange. Instead, one of
the following two general approaches is used:
• Timestamps: Party A accepts a message as fresh only if the message
contains a timestamp that, inA’s judgment, is close enough to A’s knowledge of
current time. This approach requires that clocks among the various participants be
synchronized.
• Challenge/response: Party A, expecting a fresh message from B, first sends B a
nonce (challenge) andrequires that the subsequent
message (response) received from B contain the correct nonce value.
It can be argued (e.g., [LAM92a]) that the timestamp approach should not be used
for connection-oriented applications because of the inherent difficulties with this
technique. First, some sort of protocol is needed to maintain synchronization
among the various processor clocks. This protocol must be both fault tolerant, to
cope with network errors, and secure, to cope with hostile attacks. Second, the oppor-
tunity for a successfulattack will arise if there is a temporary loss of synchronization
resulting from a fault in the clock mechanism ofone of the parties. Finally, because of
the variable and unpredictable nature of network delays, distributed clocks cannot
be expected to maintain precise synchronization. Therefore, any timestamp-based
proceduremust allow for a window of time sufficiently large to accommodate net-
work delays yet sufficiently small tominimize the opportunity for attack.
On the other hand, the challenge-response approach is unsuitable for a con-
nectionless type of application, because it requires the overhead of a handshake
before any connectionless transmission, effectively negatingthe chief characteristic
of a connectionless transaction. For such applications, reliance on some
sort ofsecure time server and a consistent attempt by each party to keep its clocks i
n syn- chronization may be thebest approach (e.g., [LAM92b]).
One-Way Authentication
One application for which encryption is growing in popularity is electronic mail (e-
mail). The very nature of electronic mail, and its chief benefit, is that it is not
necessary for the sender and receiver to be online at the same time. Instead, the e-
mail message is forwarded to the receiver’s electronic mailbox, where it is buffered
until the receiver is available to read it.
The “envelope” or header of the e-mail message must be in the clear, so that the
message can be handled by the store-and-forward e-mail protocol, such as the
Simple Mail Transfer Protocol (SMTP) or X.400.However, it is often desirable that
the mail-handling protocol not require access to the plaintext form of themessage,
because that would require trusting the mail-handling mechanism. Accordingly, the
e-mail message should be encrypted such that the mail-handling system is not in
possession of the decryption key.
A second requirement is that of authentication. Typically, the recipient wants
some assurance that themessage is from the alleged sender.

Malicious Software (Malware)

Definition - What does Malicious Software (Malware) mean?
Malicious software, commonly known as malware, is any software that brings harm to a
computer system. Malware can be in the form of worms, viruses, trojans, spyware,
adware and rootkits, etc., which steal protected data, delete documents or add software
not approved by a user.

Techopedia explains Malicious Software (Malware)

Malware is software designed to cause harm to a computer and user. Some forms of
malware “spy” on user Internet traffic. Examples include spyware and adware. Spyware
monitors a user’s location and if enabled, it can capture sensitive information, e.g.,
credit card numbers, promoting identity theft. Adware also acquires user information,
which is shared with advertisers and then integrated with unwanted, triggered pop-up
ads.
Worms and viruses behave differently, as they can quickly proliferate and undermine an
entire computer system. They also may perform unsavory activities from a user’s
computer without the user’s knowledge. In the wake of a virus or worm, a computer
system can experience significant damage.
Anti-malware should determine if there are threats by scanning a computer and
removing them, if found. Prevention is better than corrective action after infection.
Although anti-virus programs should be continually enabled and updated, certain types
of threats, like spyware, often make their way into a computer system.
At all times, a firewall should be in place for additional security. Multiple, compatible
protective sources are encouraged as additional insurance against malware.

Hypertext Transport Protocol Secure

(HTTPS)
Definition - What does Hypertext Transport Protocol Secure (HTTPS) mean?
Hypertext Transfer Protocol Secure (HTTPS) is a variant of the standard web transfer
protocol (HTTP) that adds a layer of security on the data in transit through a secure
socket layer (SSL) or transport layer security (TLS) protocol connection.
HTTPS enables encrypted communication and secure connection between a remote
user and the primary web server.