mitre

Learn the Basics of TLS HTTPS and Web Security

Learn the basics of Transport Layer Security (TLS), HTTPS, the difference between authentication and authorization, and common we vulnerabilities and how to mitigate them.

Prerequisites
link

This guide assumes you have some basic foundational knowledge in the way the web works.

optional
circle
Basics of the Web Refresher

Brush up on the basics of the web if needed.

optional
circle
Disclaimer - I'm not a Security Expert!

Although I've been working in IT and a little over a decade, I am not a security professional. I have a strong understanding of fundamentals and practices. I know enough to be dangerous, as they say.

Introduction to Cryptography, TLS, and HTTPS
link

Security is another huge pillar in the IT and Software Engineering fields. It's so big that you can specialize just in security. What you need to get out of this section is a good understanding and awareness of some basic security terminology, tools, and practices.

Tip: Getting security right is a very hard thing to do on your own. When you get hired your organization will, hopefully, have a team dedicated to just security and experts to consult with on the best way to secure your programs and to their standards.

optional
circle
Cryptography Fundamentals

The foundation of security is through the use of cryptography, or creating and sharing secrets between private parties.

Key Points
  • Cryptography deals with a lot of math under the hood.
  • The good news is you the math is figured out for by using known cryptographic implementations and practices.
optional
circle
Cryptographic Protocols

Technology and applications are secured by using protocols which incorporate cryptography into their specifications.

Key Points
  • TLS also uses a handshake, similar to TCP. It does not replace the TCP handshake, but comes after it.
  • Note the latest version of TLS is 1.3
  • the default port for HTTPS is 443, although it's very common to use other ports between backend apps and services.
optional
circle
Cryptographic Tools

The most useful tool is the openssl utility, which can perform a number of cryptographic functions including creating keys, certs, and more.

Key Points
  • Play around with the openssl tool, it's very invaluable.
  • You can use openssl to connect to https sites, and see the handshake in action.
  • openssl can be used as a client and a server, which is great for testing certs and keys, you can type messages from the client side and they should appear on the server side.
  • Keep the reference guide handy.
  • openssl is often used to troubleshoot and determining where in the TLS handshake something went wrong.
Authentication and Authorization
link

Once communication between clients and servers are secured using cryptographic protocols, the next phase of security practices can be implemented. Authentication and Authorization. Authentication is identifying the user and verifying they are who they say they are. Authorization occurs after authorization and determines what the user can or cannot do/view.

Tip: Unless you are learning, it's never wise to implement your own authentication system from scratch, most likely you will not do it correctly and it will have vulnerabilities. Utilize known, vetted libraries and reputable auth providers when possible. What you authorized an authenticated user to see and do is still largely up to you and your team.

optional
circle
Fundamentals of Authentication and Authorization

Read the article defining these terms along with their types.

optional
circle
Cookie and Token Authentication

The most common methods for authenticating users is through the use of sessions and JWT tokens.

Key Points
  • Session Cookies are stored in the user's browser and are sent on each request
  • JWT Tokens are provided as an HTTP header on each request.
optional
circle
OAuth Authentication

A bit more advanced methods of authenticating users is through the use of OAuth.

Key Points
  • OAuth2 is often used when logging in with "Login with Google", "Login with Apple" etc.
  • OAuth2 can utilize JWT tokens.
Vulnerability Management and Mitigation
link

Having a secured connection and authentication/authorization practices in place, it's still not enough. Web vulnerabilities are weaknesses or flaws in web applications that can be exploited by attackers to gain unauthorized access, steal data, or disrupt services. This is not an exhaustive list, but simply the most known.

optional
circle
SQL Injection (SQLi)

Attackers inject malicious SQL code into queries, compromising databases and exposing or altering sensitive data.

optional
circle
Cross Site Scripting (XSS)

Malicious scripts are injected into web pages, stealing user data or performing actions on behalf of the user.

optional
circle
Cross-Site Request Forgery (CSRF)

Attackers trick users into performing actions without their knowledge using their authenticated session.

optional
circle
Insecure Direct Object Reference (IDOR)

Unauthorized access to internal objects, like files or records, due to improper authorization checks.

optional
circle
Security Misconfiguration

Insecure settings, like default credentials or exposed error messages, leave web applications vulnerable to attacks.

Key Points
  • Default Credentials: Using factory-set usernames and passwords for admin accounts.
  • Verbose Error Messages: Displaying detailed error messages that reveal server info.
  • Directory Listing Enabled: Allowing users to browse directories without an index file.
  • Unrestricted File Uploads: Allowing dangerous file types to be uploaded without checks.
  • Disabled Security Headers: Missing headers like X-Frame-Options or Content-Security-Policy.
  • Exposed Debugging Information: Leaving debugging mode on in production environments.
  • Weak Password Policies: Not enforcing strong, complex passwords for user accounts.
  • Open Admin Interfaces: Leaving admin panels accessible without IP restrictions.
  • Old Software Versions: Running outdated software with known vulnerabilities.
  • Unused Features Enabled: Keeping unnecessary services or features active, increasing attack surfaces.
optional
all_inclusive
circle
Keep Tabs of the Latest vulnerabilities

The OWASP Top 10 is a list of the 10 most critical web application security risks, guiding developers and security professionals in mitigating common vulnerabilities and promoting secure development practices.

Key Points
  • Open Web Application Security Project (OWASP)
  • A new top 10 is published every 3-4 years
  • Especially Important for developers self-publishing their project.