Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

HTTPS for Websites and APIs

PHPPDX Meetup Talk 7/17/2018

Table of contents:

Description

HTTPS is an important topic on the web these days. As of this month, July 2018, Google's Chrome browser will mark non-HTTPS sites as ‘not secure’. Not as well discussed, but equally important is what HTTPS means for your API. Jeremy Kenedy (jeremykenedy@gmail.com), Web Engineering Manager at Sq1 Portland, will give us a rundown of SSL/TLS and the role it plays in HTTPS. We'll discuss the practical implications of HTTPS for API requests and see practical examples of a middleware approach to handling redirection in your PHP application.

Google Chrome non-HTTPS

SSL/TLS

  • Standard security protocol for establishing encrypted communication.
  • Ensures that all data transmitted between a web server client are encrypted with RSA(Rivest, Shamir, Adleman) encryption.
  • SSL/TLS certificate is required for a SSL connection.
  • Server verified (different levels).
  • HTTPS requires SSL/TLS.
  • HTTP2 requires SSL/TLS.

TLS

  • Transport Layer Security
  • TLS takes care of encrypting the data sent over the network and verifying the identity of the server host using a certificate.
  • Became standard over SSL in 1999.

SSL

  • Secure Sockets Layer.
  • Fallback to TLS using older security protocols.

SSL/TLS Certificate

  • Encryption type is listed by Signature Algorithm
  • Issued by a Certificate Authority (CA).
    • Open source DV SSL/TLS with Let's Encrypt.
    • Paid Issuers have 3 types available.
  • The encryption levels are the same for each certificate type.
  • All Have validity Period.
3 Different Paid Types of SSL/TLS Certificates.
  1. Extended Validation (EV SSL)

    • Verifying the legal, physical and operational existence of the entity.
    • Verifying that the identity of the entity matches official records.
    • Verifying that the entity has exclusive right to use the domain specified in the EV SSL Certificate.
    • Verifying that the entity has properly authorized the issuance of the EV SSL Certificate.
  2. Organization Validated (OV SSL)

    • Checks right of the applicant to use a specific domain.
    • Some vetting of the organization. Usually something like an ecommerce secure site seal.
    • Gives enhanced visibility in who is behind the site and associated enhanced trust.
  3. Domain Validated (DV SSL)

    • Checks right of the applicant to use a specific domain.
    • No company identity information is vetted.
    • No information is displayed other than encryption information.
    • Receiving server not verified.
Differences between Lets Encrypt and paid Certificate Authorities
Item Description
Extended validity Let's Encrypt certificates are only valid for 90 days and must be renewed frequently. By contrast, most traditional SSL certificates are valid for at least one year, with the option of longer validity periods (for example, three years).
Warranty Let's Encrypt certificates do not include a warranty, whereas traditional SSL certificates usually do.
Support Let's Encrypt does not have staff available to assist with creating or installing SSL certificates. This can be an issue for professionals and business owners who must quickly get a site configured and working. For example, GlobalSign has a network of trained personnel who provide support through online ticketing, chat, and telephone.
Customer vetting Let's Encrypt uses basic domain-based vetting (the ACME protocol) to issue SSL certificates. Traditional CA providers use additional vetting procedures to help verify that customers actually are who they claim to be.
SSL certificate options Let's Encrypt only offers domain-validated certificates (DV). If you need the extra security of an extended validation certificate (EV) for your site, you must purchase one from a traditional CA provider. Additionally, Let's Encrypt does not offer wildcard or multi-domain certificates.

source

Installing SSL/TLS Certificate on a Server

  • A Certicate consist of one or more verified .crt file that lives on your server and is linked though your servers configeration.
  • The .crt files are obtained from the Certificate Authority provider or self generated(self-signed).
  • Your server needs an RSA key generated on it.
Most common install options

Conventional Usage

  • Encrypt Connection between websites and web apps.
  • Provide server and other company data of website and web apps.
  • Create public trust between public/users and website/app.
  • Properly allow for more sensitive data and credentials on website/app.

API Usage

  • All the above.
  • Provides trust between developers and api usage.
  • Add protection server and data by enforcing secured (HTTPS) calls.

Handling Redirects

Server Level - Apache
Server Level - Nginx
App Level

Dangers of non https

  • Traffic can be snooped/watched.
  • Data can easily be stolen.
  • CDN and API Dependencies may not work.
  • Puts others at risk.
  • Loss/lack of public trust.

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment