5 Security layer 3: securing communications

This chapter covers

Understanding the concepts and vocabulary of Transport Layer Security
Establishing a secure connection between a web browser and a server
Obtaining certificates from AWS and Let’s Encrypt
Configuring HTTPS on the application’s public endpoint
Modernizing HTTPS using Mozilla’s guidelines

The application controls added in chapter 3 and infrastructure controls added in chapter 4 are all critical to guaranteeing that customer data is stored safely and protected against theft and integrity loss. We have, so far, focused our efforts on the hosting environment and ignored a large security hole: data transiting between the user and the service is left unprotected and can be stolen or modified by anyone in the pathway. In this chapter, I explain how to bring confidentiality and integrity to network communications using HTTPS.

HTTPS is composed of HTTP, the application protocol of the web, and Transport Layer Security, or TLS, the most widely used cryptographic protocol on the internet. Most of the security controls provided by HTTPS come from TLS, and we’ll logically spend most of this chapter exploring how to use this protocol correctly. What isn’t covered by TLS directly requires enabling controls at the HTTP level, so we’ll discuss HTTP Strict Transport Security (HSTS) and HTTP Public Key Pinning (HPKP) near the end of the chapter.

5.1 What does it mean to secure communications?

5.1.1 Early symmetric cryptography

5.1.2 Diffie-Hellman and RSA

5.1.3 Public-key infrastructures

5.1.4 SSL and TLS

5.2 Understanding SSL/TLS

5.2.1 The certificate chain

5.2.2 The TLS handshake

5.2.3 Perfect forward secrecy

5.3 Getting applications to use HTTPS

5.3.1 Obtaining certificates from AWS

5.3.2 Obtaining certificates from Let’s Encrypt

5.3.3 Enabling HTTPS on AWS ELB

5.4 Modernizing HTTPS

5.4.1 Testing TLS

5.4.2 Implementing Mozilla’s Modern guidelines

5.4.3 HSTS: Strict Transport Security

5.4.4 HPKP: Public Key Pinning

Summary