In this video, we will discuss why and when you should ensure your data is protected against attackers with your web app’s traffic, primarily through the use of TLS.
Course: Security Literacy
- SSL/TLS/HTTPS: Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the protocols used for securing the HTTP protocol, which makes it HTTPS.
- Certificates: SSL certificates are what web servers and clients use to prove that a site is who they say they are, and set up a secure communication channel.
[MUSIC] 0:00 [SOUND] In this stage we're going to talk about how to protect the data in 0:02 your web applications and various methods to keep attackers out of your system. 0:07 As we dive into the best practices and 0:14 real-world implementations of these security techniques, 0:17 keep in mind our discussion earlier about having a security-focused mindset. 0:21 Everything from TLS to has been designed to protect you and your users. 0:26 And it's up to you to implement them in the way that works best for 0:33 your applications. 0:37 Lets discuss why you often see websites and applications 0:38 with that green secure lock or shield next to your web browser address. 0:43 The green lock appears when a site implements SSL or 0:48 TLS, known as Secure Socket Layer and Transport Layer Security. 0:53 These are two protocols for providing data security to the HTTP protocol. 0:58 SSL is the older version, which is no longer maintained, 1:05 with TLS replacing nearly all implementations today. 1:09 Although it is still often referred to as SSL, 1:13 you'll want to make sure that you're actually implementing TLS. 1:16 SSL is no longer considered secure, and it is not being actively maintained. 1:21 With TLS your data is protected in transit 1:27 as it travels between your browser and the protected website. 1:31 This is extremely critical in order to protect everything, from the credit 1:35 card transactions you process to the simplest passwords and log in credentials. 1:41 You may also see TLS referred to as HTTPS, 1:46 where the HTTP is the default security level of a site. 1:51 Without TLS any information you enter on a website, 1:55 including a password, can be clearly read or 2:00 even altered by someone in the path between you and that website. 2:04 For more information on these man-in-the middle attacks see the teacher's notes. 2:10 In general, the process works as follows. 2:15 When you browse to a site, before you actually load the page, 2:18 the server and your browser communicate and share something called a certificate. 2:22 The browser will verify that the server's certificate is valid. 2:28 Once it has been verified the browser and the server set up a cryptographic 2:33 mechanism using complex mathematics to create a secure and 2:38 tamper-resistant channel to send data back and forth. 2:43 Now your browser and the website's server can send any kind of data they 2:47 want back and forth and not risk attackers seeing it or stealing it. 2:52 If you don't implement TLS for your applications, when you process any kind 2:57 of user data, you're not only compromising the safety and security of your 3:02 trusted users, but you may also be breaking the law in your country. 3:07 Even worse, you're exposing the data to criminals 3:13 who may use that data to destroy the lives of users who put their trust in you. 3:16 Furthermore, most web search engines will even rank you 3:22 higher if you have HTTPS on your site. 3:27 So why not implement it? 3:32 Now let's check out a few sites that implement TLS. 3:34 If we look in the top-left of the browser, after going to Facebook's site, 3:39 we see that they have HTTPS implemented. 3:43 Not only do we see HTTPS, 3:47 we also see something that says Secure with a lock in Chrome. 3:49 We would see something similar in Safari or Firefox, or any other modern browser. 3:55 Taking Facebook as an example, we can either enter our personal information 4:01 to sign up on the homepage or we can log in to an existing account. 4:06 Either way, 4:14 we'll be passing Facebook sensitive data that authenticates us with their service. 4:15 As you can see from the first five seconds of using this site, we already want 4:21 Facebook to be encrypting our data as it goes from our browser to their back end. 4:26 Otherwise, even someone sitting in a coffee shop on the same public network 4:32 can steal your personal information and password. 4:37 Let's check out Etsy We're probably here to browse or buy something. 4:41 If we're buying something, we're going to have to enter our personal information. 5:01 This includes a shipping address. 5:14 Maybe I'm not as concerned about a shipping address. 5:27 Maybe I'm shipping this to work. 5:30 But once I have to put in credit card information, 5:32 I definitely want to know that this is safe. 5:35 Etsy also has this Secure with the lock in the upper left-hand corner. 5:37 If it did not, and we put our card information in here, someone doesn't even 5:43 have to be on our computer to steal our credentials and drain our bank account. 5:48 That's very scary. 5:53 And that's exactly we need technologies like TLS. 5:54 To sum it up, TLS is critical to protecting your user's data. 5:59 And if you process any data whatsoever, even just logging information, 6:04 you need to have TLS implemented. 6:10 In the next video we will discuss some of the means of actually implementing TLS and 6:13 show you how easy it is to actually do. 6:18 In the mean time, if you want to learn more in depth details 6:22 about these technologies, check out the SANS Beginners Guide to SSL and 6:25 TLS, and O'Reilly's Guide to TLS, 6:30 which are both linked in the teacher's notes along with other great resources. 6:33
You need to sign up for Treehouse in order to download course files.Sign up