Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

Introduction to Application Security

Well done!

You have completed Introduction to Application Security!

Sign up for Treehouse Back to Library
Preview
Video Player
00:00
00:00
00:00
  1. 2x 2x
  2. 1.75x 1.75x
  3. 1.5x 1.5x
  4. 1.25x 1.25x
  5. 1.1x 1.1x
  6. 1x 1x
  7. 0.75x 0.75x
  8. 0.5x 0.5x
Use Up/Down Arrow keys to increase or decrease volume.

When and Why to Use TLS

6:38 with Alena Holligan and Jared Smith

In this video, we will discuss why and when you should ensure your data is protected against attackers with your web app’s traffic, primarily through the use of TLS.

[MUSIC] 0:00
[SOUND] In this stage we're going to talk about how to protect the data in 0:02
your web applications and various methods to keep attackers out of your system. 0:07
As we dive into the best practices and 0:14
real-world implementations of these security techniques, 0:17
keep in mind our discussion earlier about having a security-focused mindset. 0:21
Everything from TLS to has been designed to protect you and your users. 0:26
And it's up to you to implement them in the way that works best for 0:33
your applications. 0:37
Lets discuss why you often see websites and applications 0:38
with that green secure lock or shield next to your web browser address. 0:43
The green lock appears when a site implements SSL or 0:48
TLS, known as Secure Socket Layer and Transport Layer Security. 0:53
These are two protocols for providing data security to the HTTP protocol. 0:58
SSL is the older version, which is no longer maintained, 1:05
with TLS replacing nearly all implementations today. 1:09
Although it is still often referred to as SSL, 1:13
you'll want to make sure that you're actually implementing TLS. 1:16
SSL is no longer considered secure, and it is not being actively maintained. 1:21
With TLS your data is protected in transit 1:27
as it travels between your browser and the protected website. 1:31
This is extremely critical in order to protect everything, from the credit 1:35
card transactions you process to the simplest passwords and log in credentials. 1:41
You may also see TLS referred to as HTTPS, 1:46
where the HTTP is the default security level of a site. 1:51
Without TLS any information you enter on a website, 1:55
including a password, can be clearly read or 2:00
even altered by someone in the path between you and that website. 2:04
For more information on these man-in-the middle attacks see the teacher's notes. 2:10
In general, the process works as follows. 2:15
When you browse to a site, before you actually load the page, 2:18
the server and your browser communicate and share something called a certificate. 2:22
The browser will verify that the server's certificate is valid. 2:28
Once it has been verified the browser and the server set up a cryptographic 2:33
mechanism using complex mathematics to create a secure and 2:38
tamper-resistant channel to send data back and forth. 2:43
Now your browser and the website's server can send any kind of data they 2:47
want back and forth and not risk attackers seeing it or stealing it. 2:52
If you don't implement TLS for your applications, when you process any kind 2:57
of user data, you're not only compromising the safety and security of your 3:02
trusted users, but you may also be breaking the law in your country. 3:07
Even worse, you're exposing the data to criminals 3:13
who may use that data to destroy the lives of users who put their trust in you. 3:16
Furthermore, most web search engines will even rank you 3:22
higher if you have HTTPS on your site. 3:27
So why not implement it? 3:32
Now let's check out a few sites that implement TLS. 3:34
If we look in the top-left of the browser, after going to Facebook's site, 3:39
we see that they have HTTPS implemented. 3:43
Not only do we see HTTPS, 3:47
we also see something that says Secure with a lock in Chrome. 3:49
We would see something similar in Safari or Firefox, or any other modern browser. 3:55
Taking Facebook as an example, we can either enter our personal information 4:01
to sign up on the homepage or we can log in to an existing account. 4:06
Either way, 4:14
we'll be passing Facebook sensitive data that authenticates us with their service. 4:15
As you can see from the first five seconds of using this site, we already want 4:21
Facebook to be encrypting our data as it goes from our browser to their back end. 4:26
Otherwise, even someone sitting in a coffee shop on the same public network 4:32
can steal your personal information and password. 4:37
Let's check out Etsy We're probably here to browse or buy something. 4:41
If we're buying something, we're going to have to enter our personal information. 5:01
This includes a shipping address. 5:14
Maybe I'm not as concerned about a shipping address. 5:27
Maybe I'm shipping this to work. 5:30
But once I have to put in credit card information, 5:32
I definitely want to know that this is safe. 5:35
Etsy also has this Secure with the lock in the upper left-hand corner. 5:37
If it did not, and we put our card information in here, someone doesn't even 5:43
have to be on our computer to steal our credentials and drain our bank account. 5:48
That's very scary. 5:53
And that's exactly we need technologies like TLS. 5:54
To sum it up, TLS is critical to protecting your user's data. 5:59
And if you process any data whatsoever, even just logging information, 6:04
you need to have TLS implemented. 6:10
In the next video we will discuss some of the means of actually implementing TLS and 6:13
show you how easy it is to actually do. 6:18
In the mean time, if you want to learn more in depth details 6:22
about these technologies, check out the SANS Beginners Guide to SSL and 6:25
TLS, and O'Reilly's Guide to TLS, 6:30
which are both linked in the teacher's notes along with other great resources. 6:33