What are the benefits of using HTTPS?

10

Where I work, people often say that they have to put HTTPS on their systems to make it more secure.

I'd like to know:

  • What does SSL make a site safer?

  • What types of attacks do they avoid?

  • In the implementation of SSL , is there any security relation against some types of attacks such as CSRF ?

asked by anonymous 05.02.2015 / 15:44

2 answers

13
  

What SSL makes a site safer?

Encryption. In normal HTTP, data is sent in plaintext inside the network packets and someone using a sniffer , which is a program that captures packages, of them.

However, if the content of the data that travels on your connection is of considerable confidentiality (eg bank details, personal emails, etc.), SSL * provides you with strong encryption and very difficult to break ** (and HTTPS is nothing more than HTTP over SSL). In this way if someone inspects their data packets without knowing the cryptographic keys used, the content will consist of only a seemingly random and meaningless sequence of bytes.

  

What types of attacks do they avoid?

Mostly attacks based on data interception. If packets are intercepted, for those unaware of the cryptographic keys used, their content will not make any sense.

In addition, without SSL, someone could maliciously alter the contents of the packages between the source and the destination, after all they travel in plaintext , without encryption. With SSL, this becomes virtually impossible, because without having the cryptographic keys you can not introduce significant changes to the package without making it appear to be simply corrupted (being discarded altogether). The maximum that an attacker can do with this is to destroy the packets, not to modify them.

  

When implementing an SSL, is there any security relation to some types of attacks such as CSRF, for example?

No. This is already something that should be implemented by the application, it is not the responsibility of the transport layer (which is where SSL is).

(*) - Secure Sockets Layer (SSL) has been replaced by Transport Layer Security (TLS)), but this is an irrelevant detail to your question. SSL had three versions: 1.0, 2.0 and 3.0. And then came TLS 1.0, 1.1, 1.2 and 1.3 is being designed. In practice, TLS 1.0 is nothing more than an SSL 3.1 that has decided to rename it to standardize it with the Internet Engineering Task Force (IETF).

(**) - SSL actually allows both parties to negotiate which cryptographic protocol will actually be used, and if both agree on a weak protocol then security will not be assured. This is why it is important to configure the server to reject insecure cipher suites , many of which are enabled by default in the installation. Ssllabs has interesting tools for testing the server and the browser .

Thank you to Omni and mgibson for the suggestions given in your comments.

    
05.02.2015 / 15:58
7

There are two major benefits:

  • All data trafficked by this protocol is encrypted, so it is of little use if someone intercepts the packets between the client and the server. This is done transparently, your application does not have to know how to handle encryption.
  • It provides a reliable identification of the agents involved in the communication, preventing data from being changed midway after the two tips agree that they will communicate securely (# ).

So it is useful to ensure the authenticity and integrity of the data being transported.

In addition to using HTTPS you must have a certificate. If it is obtained by a trusted certificate authority the server identity can be verified. This is not a direct gain, but it is important. In theory, this should prevent some social attacks , but people do not collaborate.

Attacks made to the application such as CSRF or XSS will not be prevented since we are talking about a transport protocol. It prevents attacks like the Man in the Middle (just an example). Any attack that tries to take advantage of data transported is prevented with HTTPS.

The use of this protocol does not diminish the need for care to develop the application or to keep the server safe, after all if an attacker takes over your server, it will not do anything to secure the communication. It does not prevent denial of service attacks

I tried to give some more relevant information

    
05.02.2015 / 17:20