WebFund 2015W Lecture 21

From Soma-notes

Video

The video for the lecture given on Wednesday, March 25, 2015 is now available.

Notes

Google uses a ton of cookies when you access their server. They use these for tracking who you are and it is vital to their advertising business. Knowing who you are allows advertisers to show you products that you would buy.

Duckduckgo is another search engine which does not use any cookies!

TLS/SSL

Encryption and certificates

HTTPS:

  • Merely HTTP over a secured connection
  • Uses port 443 by default

With HTTPS, everything is encrypted as it is sent. A server is certified by using an SSL certificate which is digitally signed. This is a security certificate, it identifies that the server you are connecting to is recognized/trusted (not someone who may be intercepting your connection).

These certificates are verified by companies such as DigiCert, and these are called SSL Certificates. You can SAY you are facebook.com, but you can lie about that, so you need someone else to verify your identity. Unfortunately, some certificate authorities can be scams, and issue certificates that are 'spoofed'.

When you see warnings in the browser, this means that there is a problem with the certificate, as it cannot be verified. When this happens, you should check the details of the certificate.

When you are using HTTPS, everyone can see your traffic, but it is completely encrypted, and thus it looks like garbage to everyone.

HTTPS demo code

When running the TLS notes demo, the browser says there is a problem with the certificate, and that it isn't valid. It says it is self-signed and expired (usually this == BAD). In this instance, it is ok because we know that we made the certificate so we trust it.

To adapt a previous application to use HTTPS, you must change the require(http) to require(https). This causes the server to use HTTPS as the protocol instead of HTTP. This is within the bin/www file.

For an HTTPS server, we must specify some options. These options define the public and private keys/certificates. These are loaded using the fs module and store in an options object which is used during the creation of the server.

Keys and certificates can be generated using openSSL. The public key is given out to the clients of the server for them to encrypt data. The private key is used by the server for decryption.