DEV Community

Cover image for An Intro On HTTP Security

An Intro On HTTP Security

Jamie on October 22, 2018

By the time you have read this, I will have given a talk at WordPress Leeds the folks who organise the meetup are fantastic, and you should defini...
Collapse
 
kritner profile image
Russ Hammett

Encrypting the message isn't fool-proof, because the same folks between me and the BBC server can get the keys used to encrypt our messages. But they have to be watching the requests from the very beginning, which isn't easy to do.

is this true? I was under the impression that things like TLS have both parties use their own private/public key pairs, something like diffie hellman to get a shared secret, then a KDF to derive a key that's never transmitted over the wire.

Collapse
 
dotnetcoreblog profile image
Jamie

You're absolutely right. I'll need to think of how to change this slightly.

I wanted to somehow point out that, given enough compute time, the encryption can be brute forced after the fact. I think I'll just leave that bit out.

But I will edit this post/notes to strike through that bit.

Collapse
 
kritner profile image
Russ Hammett

Yeah, encryption keys are only valid for n numbers of operations, that number changes depending on the bit size of the key, but it's a pretty large number. But yeah, getting into that's kinda the nitty gritty.

Even still, brute forcing even the smaller of AES keys (128 bits) takes a long time - not sure how accurate this is to today's compute, but from: eetimes.com/document.asp?doc_id=12.... in the uh, scientific notation of years!

Collapse
 
dance2die profile image
Sung M. Kim

Thank you again for follow-up security post, Jamie.

I am trying to understand by rephrasing.

In Single Responsibility Principle,

give them the LEAST possible access; just enough to get the work done, and no more.

So Is the rule of thumb is to "black list" everyone and open up access one by one?

Did I understand it correctly?

no one has used SSL since the 90s, but the acronym has stuck

😲 I honestly didn't know!

Collapse
 
dotnetcoreblog profile image
Jamie

So Is the rule of thumb is to "black list" everyone and open up access one by one?

Effectively yes. Think of your employer. Doea everyone in the world have access to your company building? I'd suspect that only those who need to be there so have access to it.

What about the server rooms? Assuming that you have on prem servers, of course. Is everyone at your work given admin access to the resources on your network? (please don't answer that one, just think about it).

You don't want to give everyone access to everything.

no one has used SSL since the 90s, but the acronym has stuck

😲 I honestly didn't know!

Yeah. The Secure Sockets Layer algorithm had too many potential flaws and was replaced with Transport Layer Security. From an end user perspective it's the same thing, though.

Collapse
 
dance2die profile image
Sung M. Kim

Thanks Jamie. Analogies did help solidify the concept 😀

Thread Thread
 
dotnetcoreblog profile image
Jamie

You're welcome

Collapse
 
shostarsson profile image
Rémi Lavedrine

That is a very interesting post.
I am always looking for good security related resources, so that I can push them to the developers I am working with and try to evangelize as musch developers as I can.
I wrote some on my own, but as you said, it is such a large topic, that it is very important to rely on other resources. :-)