8- Web Security

Core defences mechanisms

1. Handling user access

   • prevent users from gaining unauthorized access.

2. Handling user input

   • Sanitize user malicious input from causing undesirable behaviour.

3. Handling attackers

   • taking defensive and offensive measures to frustrate the hacker.

4. Managing the application

   • enables the administrator to monitor activities along with managing configuration logs.

HTTPS

HTTPS uses an encryption protocol to encrypt communications :

Secure Sockets Layer (SSL) → Transport Layer Security (TLS).

Secure Handshakes

steps:

• Establish connections

• check public keys + certificates (in the client's browser )

• key exchange encrypt/decrypt using

• Connection established

• Request - Response

The figure illustrates the idea more:

Certificate

X.509 certificate, contains:

• used algorithm

• Information about public keys

• the domain it was issued for

The figure illustrates idea more:

Certificate Authority (CA)

CA primary role is to validate that the requester of the certificate is who they claim to be.

by issuing and singing containing the public keys.

• A certificate signed by any of CAs will prevent the warnings and increase the confidence that the server is who they claim to be.

Data Storage (Passwords) - Security Best Practices

• Storing Password in Plain Text is completely insecure which is compromising:

1. Confidentiality of the data

2. Integrity of the system

• better solution → hash password with MD5.

• best solution → hash password with MD5 + Salting.