>> Securing web services can include a couple of different approaches.
One of them could be
finding ways to harden the operating system or the Web Server itself so that it can
withstand various form of attacks, or that it doesn't leave a large attack surface open.
Another way to talk about secure Web Services is the idea of, well, is it encrypted or not?
So the idea is to get underneath the hood here, I think it's important to learn the differences
between TLS 1.2 and 1.3 for example, and understand exactly how all this works, and I use
the term TLS transport layer security. A lot of folks just use the kind of vernacular term SSL
because SSL, it had been around for decades.
When we use the term SSL in modern times, we're really talking about transport layer
security, the old SSL standards. People have found a way to crack him to break into him as it
were to defeat them. So we long time ago moved to transport layer security in general, 1.2 is
the one that's used a lot.
1.3 is the more current standard. So the idea that I think you should be doing, the thing that
in order to get hands on and practical, grab some web server whether it be engine X or
Apache server, doesn't matter to me. I would do it on a Linux system.
You can virtualize those things using VirtualBox or any of the VM Ware, all that, but the idea
is to get sessions going. Actually create your own certificates and then inspect these
sessions to see how it all works. You can review the certificates inside the browsers and I'll
be doing that here shortly.
But what I want you to do is really understand how underneath the hood all of these things
work. The changes between TLS 1.2 in 1.3 or fairly significant, 1.3 kind of clean things up a
little bit. It killed old weak encryption algorithms and remove some complex features.
Complexity, it changes the game a little bit and removing that complexity is a good idea.
There's a fewer handshakes that can be put in place when it comes to TLS 1.3. The fewer the
handshakes, the better, the faster things go. Also, there's less to go wrong. There's more
confidentiality in 1.3. No matter what encrypted session you're talking about, there's always
a certain amount of unencrypted traffic at the beginning of the handshake, and 1.3 does a
better job of encrypting more of that beginning of the handshake process or the beginning
of how to negotiate that encrypted transmission in the first place.
�It also has good backwards compatibility measures, but one of the key changes here is that
the negotiation that takes place between the client and the server, the client hello, and the
server hello is now separate and it's from the cipher suite negotiation. There's also a much
smaller cipher suite.
There's only five of them now. If you include the old SSL standards and the old TLS
standards, it's over 300 possible cipher suites that could be used. If you included all those
but with TLS 1.3, it just brings it down to five. Five very common sense, pretty strong ones.
The ciphers are actually shorter too if you investigate them in the packet capture like you're
seeing here. So the idea is that, if you have a TLS handshake that is longer, you could have
billions of these taking place everyday. So TLS handshake will go about 300 to 350
milliseconds in general to happen.
If you set it up properly with TLS 1.3 much shorter handshake, it may not seem significant,
but when you're talking about billions of transactions, trust me, it's significant in terms of
reducing load and increasing speed. So here's the cipher suite. Again, there were a whole
bunch of them before, now there were fewer of them five, and so you can see the difference
there.
When it comes to issues, 1.3 will be slowly implemented [be]cause you have to reconfigure
servers. There's backwards compatibility and extensions that can happen, that can also
introduce some of the 1.2, or reintroduce them. 1.2 kinds of issues that we've seen, but
nevertheless it's an interesting way to compare them.
Well, what I want to do now is take a look at a couple of sessions so you can understand
more about how certificates work in regards to TLS. I've got the CompTIA website open
here open Chrome and I'm taking a look at the certificates. So I've got a secure connection
here going using port 443.
You could take a look at the certificate to learn more about how all of this works because
you can't get a TLS session going or any of these things going unless you have a valid
certificate. So in this case digicert issued it to Comp Tia. It's using the X .509 V 3 standard,
why not?
�Using SHA, the RSA algorithm. You can see who issued it when it was issued all this
information. So this is pretty standard information. You can see the certification path that's
happening here, and that's all good and well. So the question you can ask yourself is, well,
how did that certificate end up in my browser?
Well, that was done usually via the Diffie Hellman key exchange. Okay, so those are things to
think about when you're looking at a professional level of understanding this. Now, I
created my own little Internet connection here, I created my own little web server. It's just
an engine X Web Server.
Very hello world, very standard. I created my own certificate using open SSL, so this is not
the CompTIA when you're looking at this is from stangernet.com and I signed it myself
using open SSL. You can do the same thing to learn more about how these work. So in this
case this one, I use version one of the X .509 standard but I'm using 256 RSA.
And you can see when I issued it not too long ago, September 21st in 2020, and it's going to
be valid for a year. So you can do all of these things to understand more about how SSL
works. Let's take a look at some of the packet captures here.
So what I've done is I started a session here and then I captured it here and I applied my
very simple TLS rule here so I can just view the TLS handshake. So this is where my Chrome
browser. Let's see the source. There's my windows system and I went to my Linux server.
My engine X-server. And so my client issued a hello and there's the handshake. You'll notice
it says, well, let's do version 1.2. While the server says, well, how about we do version 1.3
and here is your cipher suite that's used and that goes along with what you saw earlier.
One of those five cipher suites. So the thing that I want you to do is to get as hands on
practical as this possible. Use the Internet to learn about how to use open SSL to generate a
keypair. Install engine X or Apache server and get those certificates installed in there and
you can do the same sort of thing to get really underneath the hood and hands on in
practical in understanding how encryption works when it comes to securing web service.
