[Skill] [HTTPS] [SSL/TLS] HTTPS Related Knowledge Summary

Conclusion Pre-placement:

A Authentication

Certificate, server Certificate

B Key Negotiation

RSA Dhe/ecdhe PSK

C Encrypted communication

Encrypted communication uses symmetric encryption, using a key negotiated in stage B.

B Stage If you use RSA negotiation, you can use the server certificate to decrypt the key in the C procedure during negotiation. Thus decrypting the communication content. (In this way, bypass mode is available).

B Stage If you use dhe/ecdhe negotiation, you need at least the number of server enchantments at the time of the link (and perhaps the private key as the server certificate) to calculate the encryption key. In short, the negotiation process is also a one-time secret.

Therefore, there should be two cases of decrypting HTTPS.

Situation one: Communication with the server, real-time access to two information: 1,session information. 2,server magic number. In this case, you just need to bypass it.

Situation two: Serial in the network, do the middleman. Need server certificate to do authentication and signature, process I haven't figured it out yet. Then, you need to handshake with both ends and negotiate the key, then do both sides plus decrypt and content forwarding.

Cite a useful piece of content [1]

A WAF applies filter rules on traffic in an"Application"Level (e.g. it tries to detect SQL injection attempts).  This requires is the WAF sees the traffic, i.e. whatever SSL which may has happened on the client side must stop at the WAF. But you usually want some SSL to protect the traffic between the client and the WAF (inchfact, you usually want it more on that link than between the WAF and the server itself, since WAF and server is Usua Lly nearby to all other). There is ways forA WAF to see ssl-protectedtraffic:the WAF has a copy of thePrivateKey used by the (Ssl-aware) server, and thus can decrypt the data asit flows. (This can imply some restrictions on the cipher suites used by the server; namely, no DHE). The WAF itself runs a SSL server, and that isThe one which the client sees. The WAF decrypt the data, runs its magic in it, and then forwards it to the server over aNewConnection which may or could not be ssl-protected. Which one depends on what your WAF instance can DoAnd how you configured it.

Concept:

http://www.guokr.com/post/114121/

http://www.guokr.com/post/116169/

http://www.guokr.com/post/148613/

Https://en.wikipedia.org/wiki/HTTPS

Two-way certification, single certification:

http://www.jianshu.com/p/0a7b028e2465

http://edison0663.iteye.com/blog/996526

Browser security controls:

The main function is to prevent the client operating system Trojan interception of user key information input (bank card account/password).

Http://wiki.mbalib.com/wiki/%E5%AE%89%E5%85%A8%E6%8E%A7%E4%BB%B6

Fully forward secrecy PFS (perfect forward secrecy)

Http://baike.baidu.com/item/%E5%AE%8C%E5%85%A8%E6%AD%A3%E5%90%91%E4%BF%9D%E5%AF%86

Https://en.wikipedia.org/wiki/Forward_secrecy

https://www.sslchina.com/deploying-forward-secrecy/

Https://zh.wikipedia.org/wiki/%E5%89%8D%E5%90%91%E5%AE%89%E5%85%A8%E6%80%A7

PFS Key Negotiation:

Https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

Https://zh.wikipedia.org/wiki/%E8%BF%AA%E8%8F%B2-%E8%B5%AB%E7%88%BE%E6%9B%BC%E5%AF%86%E9%91%B0%E4%BA%A4%E6%8F%9B

* * https://program-think.blogspot.com/2016/09/https-ssl-tls-3.html

Tls:

Https://en.wikipedia.org/wiki/Transport_Layer_Security

Https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake

Other:

1190000004985253

http://www.admin5.com/special/https/

[1] Https://security.stackexchange.com/questions/44563/is-ssl-required-for-sites-hosted-behind-waf

Free Certificate:

https://letsencrypt.org/

Rfc:

https://tools.ietf.org/html/rfc5246

Outside content: TOR

Https://en.wikipedia.org/wiki/Tor_ (Anonymity_network)

Todo:

STARTTLS

[Skill] [HTTPS] [SSL/TLS] HTTPS Related Knowledge Summary