Difference between TLS, SSL and HTTPS

Elvis O. — Fri, 15 Sep 2023 17:19:24 +0000

Their differences, best use cases and how they protect our websites

What is HTTPS

We may be familiar with HTTP (Hypertext Transfer Protocol) as a request that browsers or internet devices use to communicate with data on the internet and load webpages.

HTTPS (Hypertext Transfer Protocol Secure) is a more secure way of communication between internet devices and data. Any website that handles sensitive data, such as login credentials and other personal information, should use HTTPS. Websites that are not secure are marked as 'Not Secure,' alerting users to exercise caution when sending information to such websites.

This communication is secured by digital certificates, which are typically obtained from security service providers known as Transport Layer Security (TLS), formerly known as Secure Sockets Layer (SSL).

TLS employs a cryptographic method called asymmetric encryption, which utilizes two keys: the public key and the private key.

The private key is owned by the website owner and resides on the web server. It is used to decrypt information that has been encrypted with the public key. The public key is visible to all individuals interacting with the website legally, and only the private key can decrypt information encrypted by the public key. Both keys work in tandem to maintain the security of information on the website.

Public key encrypts, private key decrypts!

How HTTPS works
Under the hood, when a user opens a webpage, the webpage will send its SSL certificate, which contains the public key necessary to initiate a secure session. The two computers, the client and the server, then undergo a process called an SSL/TLS handshake, a series of back-and-forth communications used to establish a secure connection.

Specify the version of TLS (TLS 1.0, 1.2, 1.3, etc.) they will use.
Decide on the cipher suites to be used.
Authenticate the server's identity using the server's public key and the SSL certificate authority's digital signature.
Generate session keys to enable symmetric encryption after the handshake is completed.

Importance of HTTPS
Since data transferred through the internet is basically in text i.e. Hyper-text protocol, HTTPS prevents websites from having their information broadcast in a way that’s easily viewed by anyone snooping on the network.

HTTPS also prevents ISP (Internet service providers) from adding or displaying unnecessary content (Ads) to the users.

How to get TLS/SSL Certificates?
There are handful of popular SSL certificate vendors like Hostinger, NameCheap, Domain to name a few and they offer affordable prices.

Hopefully you learned about SSL certificates and how important they are for your websites. To learn more about cryptography or asymmetric encryption, pls check out my GitHub repo and leave a star. Thank you

SQL & No-SQL injections.

Elvis O. — Sun, 20 Aug 2023 05:44:46 +0000

Whats an SQL Injection?

An SQL Injection attack involves the insertion or injection of a SQL query through input data from the client to a backend server. A successful SQL injection exploit can enable the reading of sensitive data from the database, altering database data (Insert/Update/Delete), executing administrative operations on the database (such as shutting down the DBMS), retrieving the contents of a specific file within the DBMS file system, and, in some cases, issuing commands to the operating system. SQL injection attacks are a type of injection attack, where SQL commands are inserted into data-plane inputs to manipulate the execution of predefined SQL commands.

Difference between SQL vs No-SQL Attacks

SQL is a standardized language employed to access and manipulate databases, creating customizable data views for individual users. SQL queries execute commands like data retrieval, updates, and record removal, utilizing various SQL components for these functions. SQL attacks refer to SQL injections targeting databases associated with SQL, such as MySQL, PostgreSQL, Oracle, MS SQL, MariaDB, and others.

NoSQL databases, on the other hand, encompass a variety of database systems like MongoDB, DynamoDB etc that store and retrieve data without using a traditional SQL-based relational model. NoSQL attacks are specifically directed at these types of databases, exploiting vulnerabilities within their unique structures and characteristics.

Type of SQL attacks

Boolean-based SQLI : This type of SQL attack involves sending a SQL query to the database that prompts the application to return a result. Attackers can exploit vulnerabilities in the application’s response to infer information.
Time-based SQLI : In this scenario, the attacker sends a SQL query to the database, causing it to introduce a delay (for a specific period in seconds) before responding. By observing the delay in the response, the attacker can deduce certain information from the timing.

NoSQL Injection is a security vulnerability that affects web applications utilizing a NoSQL database. NoSQL (Not Only SQL) databases are characterized by their use of flexible data formats and lack of support for Structured Query Language (SQL). These databases typically manage data as key-value pairs, documents, or data graphs. Examples of such databases include MongoDB, OrientDB, DynamoDB (AWS), Redis, and others.

A Normal Backend Interaction — SQL Databases
(How SQL injections work)

When prompted by an application, a user enters:

username: JohnDoe

password: password

The application processes the input:

username = getRequestString("username")
password = getRequestString("userpassword")

sql = 'SELECT * FROM Users WHERE name ="' + username + '" AND pass = "' + password + '"'

It translates to the SQL Query:

SELECT * FROM users WHERE name = "JohnDoe" AND pass = "password"

But in the case of SQL Attacks...
An attacker can:

1. Retrieving an Entire Table

A malicious individual could gain access to usernames and passwords within a database.

A user enters:

username: " OR ""="

password: " OR ""="

Query becomes:

SELECT * FROM users WHERE name = "" OR ""="" AND pass = "" OR ""=""

This SQL statement will retrieve all rows from the users table, as the condition OR ""="" always evaluates to true.

2. Delete a Table Using a Batched SQL Statements

A malicious individual could delete an entire table from a database.

A user enters:

username: nuclearfusion; DROP TABLE Suppliers

password: password

Query becomes:

SELECT * FROM users WHERE username = "nuclearfusion"; DROP TABLE stockPortfolio;

Preventing SQL Injection Attacks

Several common methods can help prevent SQL injection attacks:

Avoid allowing multiple statements. For instance:

const connection = await mysql.createConnection({
  uri: process.env.DATABASE_URL,
  multipleStatements: false
})

Employ prepared statements or placeholders instead of variable interpolation. This involves using a question mark “?” in place of the actual value.
Validate user input rigorously.
Implement allow-lists for user input.
Choose databases with restricted user access.
Utilize an ORM (Object Relational Mapping) system, such as Sequelize, Knex.js, Hibernate for Spring JPA frameworks, and others. ORMs provide a way to align programming code with database structures, making it easier to interact with databases while also reducing the likelihood of vulnerabilities like injection attacks.

Preventing No-SQL Injection Attacks:

Avoid Directly Passing Request Objects to ODM or ORM Functions.

One of the worst practices is passing something like req.body or req.query directly to our ODM/ORM functions like this:

const user = await collection.findOne(req.body); // Bad Practice

At the very least, we should use specific fields such as req.body.id

This helps mitigate the risk of NoSQL injection attacks.

const user = await collection.findOne({ userId: req.body.id });

Use input validations like Zod, Yup or express validator.
Sanitize User Inputs and Filters.
Utilize the latest versions of technologies and database drivers.

Conclusion