8- Web Security

Core defences mechanisms

  1. Handling user access

    • prevent users from gaining unauthorized access.

  2. Handling user input

    • Sanitize user malicious input from causing undesirable behaviour.

  3. Handling attackers

    • taking defensive and offensive measures to frustrate the hacker.

  4. Managing the application

    • enables the administrator to monitor activities along with managing configuration logs.

HTTPS

HTTPS uses an encryption protocol to encrypt communications :

Secure Sockets Layer (SSL) → Transport Layer Security (TLS).

Secure Handshakes

steps:

  • Establish connections

  • check public keys + certificates (in the client's browser )

  • key exchange encrypt/decrypt using

  • Connection established

  • Request - Response

The figure illustrates the idea more:

Certificate

X.509 certificate, contains:

  • used algorithm

  • Information about public keys

  • the domain it was issued for

The figure illustrates idea more:

Certificate Authority (CA)

CA primary role is to validate that the requester of the certificate is who they claim to be.

by issuing and singing containing the public keys.

  • A certificate signed by any of CAs will prevent the warnings and increase the confidence that the server is who they claim to be.

Data Storage (Passwords) - Security Best Practices

  • Storing Password in Plain Text is completely insecure which is compromising:

  1. Confidentiality of the data

  2. Integrity of the system

  • better solution → hash password with MD5.

  • best solution → hash password with MD5 + Salting.

Previous7-Next9-

Last updated