1 2 Security Authentication Principles 3 4 Hypertext Transfer - - PowerPoint PPT Presentation

1 2
SMART_READER_LITE
LIVE PREVIEW

1 2 Security Authentication Principles 3 4 Hypertext Transfer - - PowerPoint PPT Presentation

Jul 06, 2023 456 likes •607 views

Chapter 18 1 2 Security Authentication Principles 3 4 Hypertext Transfer Cryptography Protocol Secure (HTTPS) 5 6 Security Best Common Practices Threat Vectors 7 Summary Fundamentals of Web Development - 2 nd Ed. Randy Connolly

slide-1
SLIDE 1

Fundamentals of Web Development - 2nd Ed. Randy Connolly and Ricardo Hoar

Chapter 18

1 2 3 4 5 6

Security Principles Authentication Cryptography

Hypertext Transfer Protocol Secure (HTTPS)

Security Best Practices Common Threat Vectors

7

Summary

slide-2
SLIDE 2

Fundamentals of Web Development - 2nd Ed. Randy Connolly and Ricardo Hoar

HTTP

With a regular HTTP connection, all data is sent as unencrypted pain text. If a hacker intercepts the data, it is easy to read. To transmit data over a secure connection, an additional layer must be used. Secure Sockets Layer (SSL)

  • An older Internet protocol that allows for data transmission

between server and client through a secure connection Transport Layer Security (TLS)

  • A newer protocol for transferring data via a secure connection.
  • Often referred to as SSL
slide-3
SLIDE 3

Fundamentals of Web Development - 2nd Ed. Randy Connolly and Ricardo Hoar

HTTPS

HTTPS is the HTTP protocol running on top of the Transport Layer Security (TLS). It’s easy to see from a client’s perspective that a site is secured by the little padlock icons in the URL bar used by most modern browsers. The browser encrypts data being sent to the server and the server then decrypts it The server encrypts data being sent to the browser and the browser then decrypts it

Secure HTTP

slide-4
SLIDE 4

Fundamentals of Web Development - 2nd Ed. Randy Connolly and Ricardo Hoar

HTTPS

Secure Handshakes

slide-5
SLIDE 5

Fundamentals of Web Development - 2nd Ed. Randy Connolly and Ricardo Hoar

HTTPS

Certificates

The certificate that is transmitted during the handshake is actually an X.509 certificate, which contains many details including the algorithms used, the domain it was issued for, and some public key information.

slide-6
SLIDE 6

Fundamentals of Web Development - 2nd Ed. Randy Connolly and Ricardo Hoar

HTTPS

Certificate Authorities

A Certificate Authority (CA) allows users to place their trust in the certificate since a trusted, independent third party signs it.

slide-7
SLIDE 7

Fundamentals of Web Development - 2nd Ed. Randy Connolly and Ricardo Hoar

HTTPS

Self-Signed Certificates

Self-signed certificates provide the same level of encryption, but the validity of the server is not confirmed.

slide-8
SLIDE 8

Fundamentals of Web Development - 2nd Ed. Randy Connolly and Ricardo Hoar

HTTPS

Self-Signed Certificates

Self-signed certificates provide the same level of encryption, but the validity of the server is not confirmed.

slide-9
SLIDE 9

Fundamentals of Web Development - 2nd Ed. Randy Connolly and Ricardo Hoar

URLs for Secure Connections

Request a secure connection: https://webdev.cislabs.uncw.edu Return to a regular connection http://webdev.cislabs.uncw.edu

  • Requests must be full URLs
  • Once a secure connection is established, it will remain in that

mode until it is reverted.

slide-10
SLIDE 10

Fundamentals of Web Development - 2nd Ed. Randy Connolly and Ricardo Hoar

Redirection

The server initiates a request from the browser to another URL The header function with the Location: string header('Location: .'); // the current directory header('Location: ../'); // up one directory header('Location: ./admin'); // down one directory header('Location: error.php'); header('Location: https://webdev.cislabs.uncw.edu/~abc123');

slide-11
SLIDE 11

Fundamentals of Web Development - 2nd Ed. Randy Connolly and Ricardo Hoar

HTTPS

To use a secure connection on a page, redirect it by using the $_SERVER array. The $_SERVER array contains information about headers and paths, and its values are set by the web server.

Index Description HTTPS Returns a non-empty value if the current request is using HTTPS HTTP_HOST Returns the host for the current request REQUEST_URI Returns the Uniform Resource Identifier for the current page.

slide-12
SLIDE 12

Fundamentals of Web Development - 2nd Ed. Randy Connolly and Ricardo Hoar

The $_SERVER Array

A utility file to build an absolute URL using the $_SERVER array:

$_SERVER['HTTP_HOST']=webdev.cislabs.uncw.edu $_SERVER['REQUEST_URI']=/~abc1234/file.php

slide-13
SLIDE 13

Fundamentals of Web Development - 2nd Ed. Randy Connolly and Ricardo Hoar

Requiring a Secure Connection

require_once 'secure_conn.php';

  • Use on any pages that contain sensitive information
slide-14
SLIDE 14

Fundamentals of Web Development - 2nd Ed. Randy Connolly and Ricardo Hoar

Reverting to HTTP

require_once 'reg_conn.php';

  • After a user has logged out for example
  • Note: There is no $_SERVER['HTTP'] value