1 00:00:00,000 --> 00:00:02,073 [MUSIC] 2 00:00:02,073 --> 00:00:07,899 [SOUND] In this stage we're going to talk about how to protect the data in 3 00:00:07,899 --> 00:00:14,636 your web applications and various methods to keep attackers out of your system. 4 00:00:14,636 --> 00:00:17,124 As we dive into the best practices and 5 00:00:17,124 --> 00:00:21,378 real-world implementations of these security techniques, 6 00:00:21,378 --> 00:00:26,847 keep in mind our discussion earlier about having a security-focused mindset. 7 00:00:26,847 --> 00:00:33,092 Everything from TLS to has been designed to protect you and your users. 8 00:00:33,092 --> 00:00:37,192 And it's up to you to implement them in the way that works best for 9 00:00:37,192 --> 00:00:38,872 your applications. 10 00:00:38,872 --> 00:00:43,112 Lets discuss why you often see websites and applications 11 00:00:43,112 --> 00:00:48,610 with that green secure lock or shield next to your web browser address. 12 00:00:48,610 --> 00:00:53,230 The green lock appears when a site implements SSL or 13 00:00:53,230 --> 00:00:58,720 TLS, known as Secure Socket Layer and Transport Layer Security. 14 00:00:58,720 --> 00:01:04,120 These are two protocols for providing data security to the HTTP protocol. 15 00:01:05,350 --> 00:01:09,390 SSL is the older version, which is no longer maintained, 16 00:01:09,390 --> 00:01:13,950 with TLS replacing nearly all implementations today. 17 00:01:13,950 --> 00:01:16,340 Although it is still often referred to as SSL, 18 00:01:16,340 --> 00:01:20,140 you'll want to make sure that you're actually implementing TLS. 19 00:01:21,240 --> 00:01:27,700 SSL is no longer considered secure, and it is not being actively maintained. 20 00:01:27,700 --> 00:01:31,600 With TLS your data is protected in transit 21 00:01:31,600 --> 00:01:35,970 as it travels between your browser and the protected website. 22 00:01:35,970 --> 00:01:41,170 This is extremely critical in order to protect everything, from the credit 23 00:01:41,170 --> 00:01:46,910 card transactions you process to the simplest passwords and log in credentials. 24 00:01:46,910 --> 00:01:50,180 You may also see TLS referred to as HTTPS, 25 00:01:51,580 --> 00:01:55,870 where the HTTP is the default security level of a site. 26 00:01:55,870 --> 00:02:00,410 Without TLS any information you enter on a website, 27 00:02:00,410 --> 00:02:04,420 including a password, can be clearly read or 28 00:02:04,420 --> 00:02:10,200 even altered by someone in the path between you and that website. 29 00:02:10,200 --> 00:02:15,390 For more information on these man-in-the middle attacks see the teacher's notes. 30 00:02:15,390 --> 00:02:18,220 In general, the process works as follows. 31 00:02:18,220 --> 00:02:22,810 When you browse to a site, before you actually load the page, 32 00:02:22,810 --> 00:02:28,540 the server and your browser communicate and share something called a certificate. 33 00:02:28,540 --> 00:02:33,165 The browser will verify that the server's certificate is valid. 34 00:02:33,165 --> 00:02:38,315 Once it has been verified the browser and the server set up a cryptographic 35 00:02:38,315 --> 00:02:43,410 mechanism using complex mathematics to create a secure and 36 00:02:43,410 --> 00:02:46,705 tamper-resistant channel to send data back and forth. 37 00:02:47,710 --> 00:02:52,907 Now your browser and the website's server can send any kind of data they 38 00:02:52,907 --> 00:02:57,859 want back and forth and not risk attackers seeing it or stealing it. 39 00:02:57,859 --> 00:03:02,831 If you don't implement TLS for your applications, when you process any kind 40 00:03:02,831 --> 00:03:07,728 of user data, you're not only compromising the safety and security of your 41 00:03:07,728 --> 00:03:13,080 trusted users, but you may also be breaking the law in your country. 42 00:03:13,080 --> 00:03:16,870 Even worse, you're exposing the data to criminals 43 00:03:16,870 --> 00:03:21,640 who may use that data to destroy the lives of users who put their trust in you. 44 00:03:22,800 --> 00:03:27,780 Furthermore, most web search engines will even rank you 45 00:03:27,780 --> 00:03:32,370 higher if you have HTTPS on your site. 46 00:03:32,370 --> 00:03:33,640 So why not implement it? 47 00:03:34,740 --> 00:03:37,700 Now let's check out a few sites that implement TLS. 48 00:03:39,190 --> 00:03:43,370 If we look in the top-left of the browser, after going to Facebook's site, 49 00:03:43,370 --> 00:03:47,340 we see that they have HTTPS implemented. 50 00:03:47,340 --> 00:03:49,660 Not only do we see HTTPS, 51 00:03:49,660 --> 00:03:55,307 we also see something that says Secure with a lock in Chrome. 52 00:03:55,307 --> 00:04:00,210 We would see something similar in Safari or Firefox, or any other modern browser. 53 00:04:01,380 --> 00:04:06,559 Taking Facebook as an example, we can either enter our personal information 54 00:04:06,559 --> 00:04:10,874 to sign up on the homepage or we can log in to an existing account. 55 00:04:14,476 --> 00:04:15,260 Either way, 56 00:04:15,260 --> 00:04:21,440 we'll be passing Facebook sensitive data that authenticates us with their service. 57 00:04:21,440 --> 00:04:26,600 As you can see from the first five seconds of using this site, we already want 58 00:04:26,600 --> 00:04:32,800 Facebook to be encrypting our data as it goes from our browser to their back end. 59 00:04:32,800 --> 00:04:37,950 Otherwise, even someone sitting in a coffee shop on the same public network 60 00:04:37,950 --> 00:04:41,400 can steal your personal information and password. 61 00:04:41,400 --> 00:04:51,140 Let's check out Etsy We're probably here to browse or buy something. 62 00:05:01,938 --> 00:05:06,290 If we're buying something, we're going to have to enter our personal information. 63 00:05:14,108 --> 00:05:15,783 This includes a shipping address. 64 00:05:27,337 --> 00:05:30,790 Maybe I'm not as concerned about a shipping address. 65 00:05:30,790 --> 00:05:32,670 Maybe I'm shipping this to work. 66 00:05:32,670 --> 00:05:35,500 But once I have to put in credit card information, 67 00:05:35,500 --> 00:05:37,990 I definitely want to know that this is safe. 68 00:05:37,990 --> 00:05:43,450 Etsy also has this Secure with the lock in the upper left-hand corner. 69 00:05:43,450 --> 00:05:48,380 If it did not, and we put our card information in here, someone doesn't even 70 00:05:48,380 --> 00:05:53,330 have to be on our computer to steal our credentials and drain our bank account. 71 00:05:53,330 --> 00:05:54,750 That's very scary. 72 00:05:54,750 --> 00:05:59,570 And that's exactly we need technologies like TLS. 73 00:05:59,570 --> 00:06:04,560 To sum it up, TLS is critical to protecting your user's data. 74 00:06:04,560 --> 00:06:10,160 And if you process any data whatsoever, even just logging information, 75 00:06:10,160 --> 00:06:13,280 you need to have TLS implemented. 76 00:06:13,280 --> 00:06:18,710 In the next video we will discuss some of the means of actually implementing TLS and 77 00:06:18,710 --> 00:06:22,060 show you how easy it is to actually do. 78 00:06:22,060 --> 00:06:25,410 In the mean time, if you want to learn more in depth details 79 00:06:25,410 --> 00:06:30,360 about these technologies, check out the SANS Beginners Guide to SSL and 80 00:06:30,360 --> 00:06:33,770 TLS, and O'Reilly's Guide to TLS, 81 00:06:33,770 --> 00:06:38,150 which are both linked in the teacher's notes along with other great resources.