What are the benefits of using HTTPS?

Asked

Viewed 1,520 times

13

Where I work, people always comment that they have to put HTTPS in the systems to make it safer.

I’d like to know:

  • On what the SSL makes a website safer?

  • What are the types of attacks they avoid?

  • In the implementation of a SSL, there is some security relationship against some types of attack as CSRF for example?

  • 1

    I was responding but as you are already satisfied with the answer given nor need post anything else.

  • 2

    @bigown It’s not every day that I can outrun the Brazilian Jon Skeet. : D

  • @Victor And where is he? : P

  • @bigown Guess? Tip: is the guy who has the biggest reputation of the site and is known by his eye.

  • 3

    No, the fact that I answer a lot and have a high reputation does not compare me to Jon Skeet who has technical competence and proven communication skills. My reputation only reflects the dedication to website, nothing else. I consider myself a mediocre professional and envy the users here who master many things better than me. And it is not false modesty, because I do not have this quality/ defect :P It is only a reality check. At best I’m the dirt under Jon Skeet’s fingernail :)

  • 4

    @Bigown Although we are using the comments for chat Offtopic, I must say that its reputation reflects much more than just dedication, also reflects quality, expertise, technical competence and proven communication. And if you are someone mediocre on the site, then that would mean that there would be no one who is good here (which is not true). You can be sure that no one in good conscience considers you mediocre around here and your contributions are of a very high level of excellence very difficult to achieve.

  • 1

    The guy is humble :)

Show 2 more comments

2 answers

16


Where SSL makes a website safer?

Encryption. In normal HTTP, data is sent to plaintext within the network packets and someone using a Sniffer, which is a program that captures the packets, you can see their contents.

However, if the content of the data you traffic on your connection is of important confidentiality (e.g., banking data, personal emails, etc.), SSL* provides you with a strong and very difficult to crack** encryption (and HTTPS is nothing more than HTTP over SSL). This way if someone inspects their data packets without knowing the cryptographic keys used, the content will consist only of a seemingly random and meaningless sequence of bytes.

What are the types of attacks they avoid?

Mostly attacks based on data interception. If the packets are intercepted, for those who have no knowledge of the cryptographic keys used, their contents will make no sense.

Also, without SSL, someone could maliciously alter the contents of the packets between source and destination, after all they transit in plaintext, unencrypted. With SSL, this becomes virtually impossible, because without having the cryptographic keys you cannot make significant changes to the package without making it appear to be simply corrupted (then discarded altogether). The most an attacker can achieve with this is to destroy the packets, not modify them.

In the implementation of an SSL, there is some security relationship against some types of attack like CSRF for example?

No. Hence it is already something that should be implemented by the application, it is not the responsibility of the transport layer (which is where SSL is).


(*) - SSL (Secure Sockets Layer) was replaced by the TLS (Transport Layer Security), but this is a detail irrelevant to your question. SSL had three versions: 1.0, 2.0 and 3.0. And then came TLS 1.0, 1.1, 1.2 and 1.3 is being designed. In practice, TLS 1.0 is nothing more than a 3.1 SSL that has decided to change its name to standardize it with the IETF (Internet Engineering Task Force).

(**) - In reality SSL allows both parties to negotiate which cryptographic protocol will actually be used, and if both agree to a weak protocol then security is not assured. This is why it is important to set the server to reject Cipher suites insecure, many of them enabled by default in the installation. ssllabs has interesting tools to test the server and the browser.

I thank Omni and mgibsonbr for the suggestions given in their comments.

  • the informal version of TLS1.0 and SSL3.1 and not SSL4.0. I liked your note, but I would add the reason for the name change (standardization of the protocol by the IETF)

  • @Omni Feito. :)

9

Are two great benefits:

  • all the data traffic through this protocol is encrypted, so it’s of little use if someone intercepts the packets between the client and the server. This is done transparently, your application does not need to know how to handle encryption.
  • it provides a reliable identification of the agents involved in communication preventing data from being altered midway after both ends agree that they will communicate securely (hand Shaking).

So it is useful to guarantee the authenticity and integrity of the data transported.

In addition to use HTTPS you need to have a certificate. If it is obtained by a trusted certification authority, the identity of the server can be proven. This is not a direct gain, but it is important. In theory, this should prevent some social attacks, but people don’t collaborate.

Application attacks like CSRF or XSS will not be prevented as we are talking about a transport protocol. It prevents attacks like Man in the Middle (only one example). Any attack that tries to benefit from data carried are prevented with HTTPS.

The use of this protocol does not diminish at all the need for care to develop the application or to keep the server safe, after all if an attacker takes over your server nothing will help the communication is safe. It does not prevent denial of service attacks

I tried to give some more relevant information

Browser other questions tagged

You are not signed in. Login or sign up in order to post.