PROGRAMMING FOR THE WEB: THE INTERNET
SECURING THE WEB

Securing the Web

As the internet becomes increasingly integral to our daily lives, securing web applications is more crucial than ever. This page will walk you through key web security concepts, focusing on their importance and application in web development.

1. Secure Sockets Layer (SSL) Certificates

SSL certificates are digital documents that authenticate a website's identity and enable encrypted connections between the server and client.

How SSL Works in Web Security:

A website owner requests an SSL certificate from a Certificate Authority (CA).
The CA verifies the owner's identity and issues a certificate.
The website installs the certificate on its web server.
When a user connects to the website, their browser checks the certificate's validity.
If valid, an encrypted connection is established using the SSL/TLS protocol.

Importance in Web Development:

SSL certificates enable HTTPS, which is crucial for protecting sensitive data during transmission.
They provide visual trust indicators (like the padlock icon in browsers) to users.
Search engines often give preference to HTTPS websites in search results.
Always use HTTPS for login pages, payment processes, and any form that collects sensitive information.

2. Encryption Algorithms and Keys

Encryption is vital in web security, transforming readable data into unreadable form using algorithms and keys, so only authorized parties can access the information. Encryption algorithms are mathematical procedures used to encode information, making it unreadable without the correct decryption key. Encryption keys are strings of bits used to encrypt and decrypt data. The security of encrypted data depends on keeping these keys secret.

Encryption Algorithms

Symmetric Encryption
- Definition: Same key for encryption and decryption.
- Example: AES (Advanced Encryption Standard).
- Note: Fast and efficient but requires secure key sharing.
Asymmetric Encryption
- Definition: Uses a public key for encryption and a private key for decryption.
- Example: RSA Algorithm.
- Note: Enhances security; ideal for secure key exchange.

Encryption Keys

Symmetric Keys: Single secret key used in symmetric encryption.
Public Keys: Shared openly to encrypt data in asymmetric encryption.
Private Keys: Kept confidential to decrypt data in asymmetric encryption.

Applications in Web Security

Securing Data in Transit:
- HTTPS Protocol: Uses asymmetric encryption to establish a secure connection and symmetric encryption for data transfer.
Protecting Stored Data:
- Database Encryption: Encrypt sensitive information to prevent unauthorized access.
- Password Hashing: Apply one-way encryption to passwords.
Secure Key Exchange:
- SSL/TLS Handshake: Uses asymmetric encryption to exchange keys securely, then switches to symmetric encryption.

3. Plain Text, Cipher Text, Hashing

Plain Text

Plain text refers to information in its original, readable form. In our password hashing demo, the password you initially enter (like "password123") is plain text. It's easily understandable by humans and computers alike.

Cipher Text

Cipher text is the encrypted or encoded version of the plain text. It's the result of applying an encryption algorithm to the plain text, making it unreadable without the proper decryption method. In our demo, the final hashed password is a form of cipher text, although it's specifically a "hash" rather than reversible encryption.

Hashing

Hashing, which we demonstrate in our password demo, is a one-way process. It converts plain text into a fixed-size string of characters. Good hash functions have these properties:

They're one-way (you can't reverse a hash to get the original input)
They're deterministic (same input always produces the same hash)
They have a low likelihood of "collisions" (different inputs producing the same hash)

Salting

In our demo, we use a salt – a random string added to the password before hashing. Salting serves two main purposes:

It protects against rainbow table attacks (pre-computed tables for cracking password hashes)
It ensures that two users with the same password will have different hash values

4. Authentication and Authorisation

In the context of web development, authentication and authorisation are two crucial security mechanisms used to protect websites and applications, ensuring that only legitimate users can access resources and functionalities within a system.

Authentication

Authentication is the process of verifying who a user is. When you log in to a website, you are asked to provide credentials like a username and a password. These credentials are then checked against stored data (usually on a server) to verify your identity. If the credentials match, the server confirms that you are indeed the person you claim to be, and you are authenticated.

Authorisation

Authorisation, on the other hand, is the process of determining what an authenticated user is allowed to do. Once the system knows who you are (through authentication), it needs to decide what resources and actions you can access. This decision is usually based on user roles such as "regular user" or "admin."

In Summary

Authentication asks the question: "Who are you?"
Authorisation asks the question: "What are you allowed to do?"

You can explore the concepts of authentication and authorisation using the demo below. Test how the system responds to different users and roles:

There are two predefined users in the system:

Regular User: username: "user", password: "user123"
Admin User: username: "admin", password: "admin123"

5. Digital Signatures

Digital signatures are like a high-tech version of handwritten signatures, but much more secure and difficult to forge. They're used in web security to verify the authenticity and integrity of digital messages or documents.

How they work:

Creation: The sender uses a private key (a secret code only they know) to create a unique digital signature for a specific message or document.
Verification: The recipient uses the sender's public key (available to everyone) to check if the signature is valid.
Security: If the message is altered in any way after being signed, the signature becomes invalid.

Example:

Imagine you're downloading the latest Python library for your web development project. How do you know it hasn't been tampered with by hackers? The Python Software Foundation uses digital signatures to sign their official releases. When you download the file, your computer can verify the signature using the Foundation's public key. If the signature is valid, you know the file is authentic and hasn't been modified since it was signed.

🚀 Try out the demo to see this concept in action.

Web Security in Action

John wants to look cool, so he decides to buy some Lightning McQueen Crocs from Amazon. Here's what happens:

John opens his browser and types in "www.amazon.com".
He creates a new Amazon account.
He searches for "Lightning McQueen Crocs" and finds some with next-day delivery.
He adds the Crocs to his cart and proceeds to checkout.
John enters his credit card details and shipping address.
He reviews his order and clicks "Place your order".
John receives an order confirmation.

Breaking It Down

Accessing Amazon's website:
1. John's browser verifies Amazon's SSL certificate, ensuring he's on the real Amazon site. 🔒
2. An encrypted HTTPS connection is established between John's browser and Amazon's servers.
Creating an account:
1. John's chosen password is salted and hashed before being stored in Amazon's database.
2. The HTTPS connection ensures John's new account details are encrypted during transmission.
Browsing and adding to cart:
1. All of John's browsing activity and cart updates are protected by the HTTPS encryption.
Logging in to complete purchase:
1. Amazon authenticates John by comparing his entered password with the stored hash.
2. Once authenticated, Amazon's systems authorize John to access his account and complete his purchase.
Entering payment and shipping details:
1. The HTTPS connection continues to encrypt all data John enters, including his credit card number and address.
2. Amazon may further encrypt John's payment information before storing it in their database.
Placing the order:
1. John's entire checkout process remains protected by HTTPS encryption.
2. Digital signatures may be used to verify the integrity of the order confirmation page and email.

Page updated

Report abuse

PROGRAMMING FOR THE WEB: THE INTERNETSECURING THE WEB