Basic knowledge of SSL, HTTPS and Certificates are must for any Java
programmer, especially who is working in financial and security sensitive applications,
which are accessed over internet. In this article, I am giving you an overview
of these three key concept and How SSL,
HTTPS and certificates work together, to provide secure communication
between client and server. Security is major concern while developing web
application, which is accessible using HTTP protocol. Since HTTP protocol
transfer data in plain text format, its not safe for transferring sensitive
information like username, password, social security number (SSN) or credit
card details for online shopping. HTTP protocol, also doesn't guarantee that a website,
you are communicating is the one who claims i.e. if URL redirection is enable
than instead of genuine website you may be routed to malicious websites and HTTP
can't prevent or alert you.
How SSL and HTTPS works
HTTPS and SSL address these two issue. HTTPS is HTTP over SSL and SSL
stands for secure socket layer, which
provides both encryption and verification of websites. That's why almost all
banks or commercial portals like travels or airline bookings, movie booking or
online shopping portal uses https protocol. When data is transmitted using HTTPS
protocol, they are encrypted before transmission from both client and server
end, so anyone who can intercept or trap https traffic can see the data, but
not in meaningful format. By the way since request is encrypted and decrypted
at both ends, this does increase response time on server but provides security
against eavesdropping threat. SSL also facilitate verification of website by using
certificates issued by third party issuer like VeriSign, godaddy, thwate etc.
You might have looked at your browser’s address bar, when you access any site using
https it say something verified by VeriSign or verified by thwate etc. You can
also read SSL and TLS: Designing and Building Secure Systems by Eric Rescorla to understand How SSL works and how to build secure system using SSL.
How SSL uses Certification for
Identification
How this certification works? when
client (browser) connect to Server using https, Server returns certificates issued
by trusted third party issuer, if it’s Java application, it can access certs
stored in its keystore and truststore, browser
also has those certificate in his trusted certificate store and validates any
certificate presented by server against those. If browser or any Java client,
doesn't find the those certificates, it can alert you by saying certificates
not recognized and recommend you not to visited the site. You can also manually
trust any website and ask browser to include certificate presented by server in
its trusted certificate store. This is the case with development when Tomcat
returns either self-signed or test certificates. For Java programmers, JDK comes with a keytool command, which can be
used to create self signed certs and store those in keystore and truststore for
use.
That’s all on this rather quick overview of SSL, HTTPS and Certifications
and How they work together. Purpose of this article was to give at least basic
knowledge of how client server communication occurs in secure fashion. If you
are developing secure applications in Java programming language, it’s good to
have some knowledge of underlying fundamental concepts of SSL, HTTPS and Certificates.
Tidak ada komentar:
Posting Komentar