dns and https acn presentation. domain names we refer to computers on the internet (internet hosts),...
TRANSCRIPT
DNS and HTTPs
ACN Presentation
Domain Names
We refer to computers on the Internet (Internet hosts), by names like:
sharda.ac.in
These are called domain names or, if you want to be really geeky,“fully qualified domain names.”
The key point is that the name identifies a particular computer – no two hosts have the same domain name.
The parts of a domain name
sharda.ac.in
A domain is a group of related hosts.
The particular host is called sharda..ac → Academic Institute followed by a top level
domain name..in → This is country (India) code top level
domain.
A unique host
Sharda.ac.in
This is the domain name of a unique host. It is a member of the ac.in domain, but it is the only one with the name sharda.
It is like a family – all the brothers and sisters have the same last name, but it would be confusing if two of them also had the same first name.
There are a limited top-level domains
.edu, educational
.com, commercial
.gov, government
.org, non profit
.net, networking organizations
These are called “generic” TLDs.
country code top-level domain names for every nation
.in,India
.us, United States
.mx, Mexico
.uk, United Kingdom
These are called “country code” top-level domains (ccTLDs) . The organization or host do not necessarily have to be in the country to register the name.
DNS search
If your DNS knows the IP address it returns it.Otherwise it will contact another DNS to get the result.Etc. until it is found or determined that it does not exist, in which case an error message is returned.
How DNS Works Simplified
If you want to…Call someone, you need to ask for their phone numberYou can’t just dial “M Y - F R I E N D”Mail someone, you need to get their address firstWhat about the Internet?If you need to reach Google, you need their IPDoes anyone know Google’s IP?Problem:People can’t remember IP addressesNeed human readable names that map to IPs
Internet Names and Addresses
Addresses, e.g. 173.194.36.78Computer usable labels for machinesConform to structure of the networkNames, e.g.www.google.comHuman usable labels for machinesConform to organizational structureHow do you map from one to the other?Domain Name System (DNS)
10
BASIC DOMAIN NAME RESOLUTION• EVERY HOST KNOWS A LOCAL DNS SERVER
• SENDS ALL QUERIES TO THE LOCAL DNS SERVER
• IF THE LOCAL DNS CAN ANSWER THE QUERY, THEN YOU’RE DONE
1. LOCAL SERVER IS ALSO THE AUTHORITATIVE SERVER FOR THAT NAME
2. LOCAL SERVER HAS CACHED THE RECORD FOR THAT NAME
• OTHERWISE, GO DOWN THE HIERARCHY AND SEARCH FOR THE AUTHORITATIVE NAME SERVER
• EVERY LOCAL DNS SERVER KNOWS THE ROOT SERVERS
• USE CACHE TO SKIP STEPS IF POSSIBLE
• E.G. SKIP THE ROOT AND GO DIRECTLY TO .EDU IF THE ROOT FILE IS CACHED
11
RECURSIVE DNS QUERY
• PUTS THE BURDEN OF RESOLUTION ON THE CONTACTED NAME SERVER
• HOW DOES GOOGLE KNOW WHO TO FORWARD RESPONSES TOO?• RANDOM IDS EMBEDDED IN DNS
QUERIES
• WHAT HAVE WE SAID ABOUT KEEPING STATE IN THE NETWORK?
Root
com
ns1.google.com
www.google.com
Google.com
Where is www.google.com?
12
ITERATED DNS QUERY
• CONTACT SERVER REPLIES WITH THE NAME OF THE NEXT AUTHORITY IN THE HIERARCHY
• “I DON’T KNOW THIS NAME, BUT THIS OTHER SERVER MIGHT”
• THIS IS HOW DNS WORKS TODAY
Root
com
ns1.google.com
www.google.com
Google.com
Where is www.google.com?
13
DNS PROPAGATION• HOW MANY OF YOU HAVE PURCHASED A DOMAIN NAME?
• DID YOU NOTICE THAT IT TOOK ~72 HOURS FOR YOUR NAME TO BECOME ACCESSIBLE?
• THIS DELAY IS CALLED DNS PROPAGATION
Root com
ns.godaddy.com
www.my-new-site.com
Sharda.ac.in
Why would this process fail for a new DNS name?
14
CACHING VS. FRESHNESS• DNS PROPAGATION DELAY IS CAUSED BY CACHING
Sharda.ac.in
• Cached Root Zone File
• Cached .com Zone File
• Cached .net Zone File
• Etc.Root
com
ns.godaddy.comwww.my-new-site.com
Where is www.my-new-
site.com?
That name does not
exist.
Zone files may be cached for 1-72 hours
15
THE IMPORTANCE OF DNS• WITHOUT DNS…
• HOW COULD YOU GET TO ANY WEBSITES?
• YOU ARE YOUR MAILSERVER
• WHEN YOU SIGN UP FOR WEBSITES, YOU USE YOUR EMAIL ADDRESS
• WHAT IF SOMEONE HIJACKS THE DNS FOR YOUR MAIL SERVER?
• DNS IS THE ROOT OF TRUST FOR THE WEB
• WHEN A USER TYPES WWW.ICICIBANK.COM, THEY EXPECT TO BE TAKEN TO THEIR BANK’S WEBSITE
• WHAT IF THE DNS RECORD IS COMPROMISED?
HTTPs
HTTP (Hypertext Transfer Protocol) is the set of rules for transferring files (text, graphic images, sound, video, and other multimedia files) on the world wide web. HTTP uses default port 80.The client submits an HTTP request message to the server. The server, which provides resources such as HTML files and other content, or performs other functions on behalf of the client, returns a response message to the client.
HTTP
Fig:Working of HTTP
UnsecuredDoes not use certificatesPrivacy IntegrityAuthentication
HTTP Limitations Security Concerns
HTTPS = HTTP + SSLHTTPS stands for Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL.HTTPS by default uses port 443.URL's beginning with HTTPS indicate that the connection is encrypted using SSL.
HTTPS
Fig:working of HTTPS
HTTPS is implemented using Secure Sockets Layer (SSL).HTTPS by purchasing an SSL Certificate.
HTTPS implementation
SSL certificates becomes the "passport" or the digital document that verify that the security and authenticity of the interaction.The SSL certificate is installed on a web server to identify the business using it to encrypt sensitive data such as credit card information.SSL Certificates give a website the ability to communicate securely with its web customers.
What is an SSL Certificate?
An SSL Certificate enables encryption of sensitive information during online transactions.Each SSL Certificate contains unique, authenticated information about the certificate owner. A Certificate Authority verifies the identity of the certificate owner when it is issued.
Cont't
SSL Certificate interaction with the Browser and the Server
Each SSL Certificate consists of a Public key and a Private key.So during a secure communication, the browser encrypts the message using the public key and sends it to the server. The message is decrypted on the server side using the Private key.
How Encryption Works ?
In Internet Explorer, you will see a lock icon in the Security Status bar. The Security Status bar is located on the right side of the Address bar. You can click the lock to view the identity of the website.If the information does not match or the certificate has expired, the browser displays an error message or warning and the status bar may turn RED.
How to identify a Secure Connection ?
SSL DiagramWhen any modern browser is installed, it is sent with several CA issuer certificates. These issuer certificates contain a public key for the issuer, among other information.
When a web designer decides to use SSL he needs to purchase a certificate that is signed using the CA's private key.
The web browser starts a connection to an HTTPS site. Along with this request the client sends all supported encryption schemes.
As a response to the browser's connection request, the Server sends a copy of the certificate from step 2. Along with this transmission is the server's answer to the encryption negotiation.
Once a certificate is downloaded, the signature of the certificate (that was signed using the CA's private key) is checked using the CA's public key (installed in the browser in step 1.
The connection succeeds, the client can now download and upload to the web site with the security of encryption.
HTTPS is slightly slower than HTTPHTTPS adds computational overhead as well as network overhead.
An HTTPS server can only provide one "virtual host" behind a single socket, as opposed to multiple ones behind an http socket. This is because all security negotiation takes place before the HTTP protocol starts & hence before the server knows which URL the client is asking for.
HTTPS cannot prevent stealing confidential information from the pages cached on the browser. Since in SSL data is encrypted only during transmission on the network, it is in clear text in the browser memory
Disadvantages of HTTPS
URL begins with “http://" in case of HTTP while the URL begins with “https://” in case of HTTPS.HTTP is unsecured while HTTPS is secured.HTTP uses port 80 for communication while HTTPS uses port 443 for communication.HTTP operates at Application Layer while HTTPS operates at Transport Layer.No encryption is there in HTTP while HTTPS uses encryption.No certificates required in HTTP while certificates required in HTTPS.
HTTP vs HTTPS:
How SSL Overcomes HTTP Security Concerns
Secure Sockets Layer technology protects your Web site and makes it easy for your Web site visitors to trust you in three essential ways:
Privacy An SSL Certificate enables encryption of sensitive information during online
transactions.
Integrity. A Certificate Authority verifies the identity of the certificate owner when it is
issued.
Authentication. Each SSL Certificate contains unique, authenticated information about the
certificate owner.
Limitations of HTTPS
An HTTPS server can only provide one "virtual host" behind a single socket, as opposed to multiple ones behind an http socket.
This is because all security negotiation takes place before the HTTP protocol starts & hence before the server knows which URL the client is asking for.
HTTPS cannot prevent stealing confidential information from the pages cached on the browser.
Since in SSL data is encrypted only during transmission on the network, it is in clear text in the browser memory
HTTPS is slightly slower than HTTP. HTTPS adds computational overhead as well as network overhead.
Thank You