6 Transport Layer Security

 

This chapter covers

  • Resisting man-in-the-middle attacks
  • Understanding the Transport Layer Security handshake
  • Building, configuring, and running a Django web application
  • Installing a public-key certificate with Gunicorn
  • Securing HTTP, email, and database traffic with Transport Layer Security

In the previous chapters, I introduced you to cryptography. You learned about hashing, encryption, and digital signatures. In this chapter, you’ll learn how to use Transport Layer Security (TLS), a ubiquitous secure networking protocol. This protocol is an application of data integrity, data authentication, confidentiality, and nonrepudiation.

After reading this chapter, you’ll understand how the TLS handshake and public-key certificates work. You’ll also learn how to generate and configure a Django web application. Finally, you’ll learn how to secure email and database traffic with TLS.

6.1 SSL? TLS? HTTPS?

Before we dive into this subject, let’s establish some vocabulary terms. Some programmers use the terms SSL, TLS, and HTTPS interchangeably, even though they mean different things.

The Secure Sockets Layer (SSL) protocol is the insecure predecessor of TLS. The latest version of SSL is more than 20 years old. Over time, numerous vulnerabilities have been discovered in this protocol. In 2015, the IETF deprecated it (https://tools.ietf.org/html/rfc7568). TLS supersedes SSL with better security and performance.

6.2 Man-in-the-middle attack

6.3 The TLS handshake

6.3.1 Cipher suite negotiation

6.3.2 Key exchange

6.3.3 Server authentication

6.4 HTTP with Django

6.4.1 The DEBUG setting