chapter4 Flashcards
IIS stands for
internet information server
encryption technologies relies on
certificates
what does encryption mean
Ecryption means making data unreadable using a key.
give the 2 types of encryption
symmetric encryption, asymmetric encryption
explain symmetric encryption
Symmetric encryption is when both sides have the same identical key to encrypt/decrypt data, tha advantage of this is that it is fast and efficient enough for instant communication over the web, the disadvantage is how does one get the symmetric key safely to the other side/party, if the key is intercepted, all encryption is useless
explain asymmetric encryption
Asymmetric encryption is when both sides have a different key from a so called key pair of two keys that belong together
Public key -> everything encrypted with public key can only be decrypted with a private key, the public key is sent to other parties and is publicy available, anyone can encrypt with the public key and send it to the server where only the server has the private key to decrypt and read this data = secure communication with the server
Private key -> everything encrypted with private key can be decrypted with a public key, the private key is never sent by the party that started using the key pair, data encrypted with the servers private key can be decrypted by anyone using the public key associated with that private key, this makes data readable by anyone, but if your private key fails you know the encrypted data did not come from the server as you think = cerntainty of where your message came from
Main advantage is that you can easily send the public key over the web to the other party, its the entire point of it, the big disadvantage is that the algorithm is slow, too slow to serve for constant instant communication over the web
how can we verify that a certificate comes from a correct CA
All official CAs have a public key of their own for this purpose, they have encypted a piece of code using the corresponding private key and then attached that piece of code to all the certificates they issue, we call this piece of code the sign
All browsers have these public keys installed by default, so when a web server tries to decrypt the sign and it succeed, then the certificate has been issued by a legitimate CA, not possible ? then the certificate is not issued by a legitimate CA, and it is also called self-signed certificate
HSTS stands for
HTTP strict transport security
give the 3 directives included in the HSTS header
Max-age =<expire-time> -> the time in seconds that the browser should remember that a site is only to be accessed using HTTPS</expire-time>
includeSubDomains (optional) -> if this is specified, this rule applies to all of the site’s subdomains as well
preload (optional) -> browser will never try to connect to your domain using an insecure connection (denk ik)
what is CSP and what does it stand for
CSP = content-security-protocol is the name of a HTTP
response header that modern browsers use to enhance the security of the document or web page. It allows you to restrict how resources such as javascript, css, or pretty much anything can be loaded
give the 2 most relative points in secure cookies
HTTPonly -> By default, when there’s no restriction in place, cookies can be transferred not only by
HTTP, but any JavaScript files loaded on a page can also access the cookies. This
ability can be dangerous because it makes the page vulnerable to cross-site scripting
(XSS) attack.
Secure -> By default cookies are always sent on both HTTP and HTTPS requests. A malicious
attacker who can’t see encrypted traffic with HTTPS connection can easily switch to
HTTP connection and access the same cookie because it is not encrypted. Therefore,
the Secure flag is set to ensure that the cookie in encrypted when it’s created.
