Web Security

Web Security Encrypting Data

Learning Paths:
Check out a free preview of the full Web Security course:
The "Encrypting Data" Lesson is part of the full, Web Security course featured in this preview video. Here's what you'd learn in this lesson:

Mike introduces data encryption for defending against Man-in-the-Middle attacks.

Get Unlimited Access Now

Transcript from the "Encrypting Data" Lesson

[00:00:00]
>> Mike North: So the way to solve this is we want to encrypt our data in flight. This is where we introduce HTTPS. And the benefit we get here is that you need a secret key in order to read or alter a response, right? In order to look at the traffic or edit it, you need to know some secret.

[00:00:21] Certificates are involved and they identify domains, and in order to get one of these certificates, you basically have to do something that proves you have control over a domain. This varies from adding an entry to an DNS table, where when the certificate authority says, if they ask for an entry of a particular name, they'll get some long cryptic string back.

[00:00:43] And they'll say, yes, that is what I asked I for. It is there. Clearly you have the password to be able to do this, and therefore, you must control this thing. I want you to think about that every time you bring a contractor onto your team or something, and you say, here are my credentials for my GoDaddy account, or you can post anything you want, here's our staging environment.

[00:01:07] It is very easy for someone to pop one of these files up there, basically get a certificate, and walk away with it. And any certificate, until we introduce a new concept, any certificate whose name matches the name of your domain will work for HTTPS, right? So I could go to Comodo and get a certificate there.

[00:01:30] And I could go to Let's Encrypt and then have them make me a free certificate. And those are equally valid. Enhanced validation, this is where we see the green address bar in our browsers. That's nice, right? As a matter of company policy, and policy of the standards body that governs issuing certificates, they are supposed to ask for government ID and have a person with a government issued ID on file, rather than just proving you own a domain in order to get one of those.

[00:02:05] They ask often for articles of incorporation, and they ensure that your business name aligns with what you have on the certificate. But that's just sort of corporate policy. If someone where to get ahold of the wrong passwords and the wrong keys, you could generate those quite easily. There's nothing about them technically that makes them any more secure than the regular certificates.

[00:02:31] It's just that additional procedural hoops must be jumped through in order to acquire one of those things.