The Web Flashcards
Provide a brief description of SSL.
SSL (Secured Socket Layer) is a protocol that creates an encryption layer between a web browser and the web server for the website/services it is accessing.
Today SSL is replaced by TLS (Transport Layer Security), which is basically just the new version of the protocal.
Provide a brief description of an SSL Certificate for a website and why its necessary.
An SSL Certificate is a certificate that authenticates a website’s identity. A TLS certificate is issued by a certificate authority to the person or business that owns a domain.
The certificate contains important information about who owns the domain, along with the server’s public key, both of which are important for validating the server’s identity.
Websites need SSL certificates to
1) Keep user data secure,
2) Verify ownership of the website,
3) Prevent attackers from creating a fake version of the site, and convey trust to users.
What is different between SSL and TLS?
SSL is the deprecated version of TLS. The name change mostly signified the change in ownership from Netscape to Internet Engineering Task Force (IETF),
Provide as much detail as possible about the SSL/TLS interaction in a web request.
Briefly what happens?
Whem does it occur?
What are the steps in detail?
https://www.cloudflare.com/en-gb/learning/ssl/what-happens-in-a-tls-handshake/
https://www.ssl.com/article/ssl-tls-handshake-overview/
During a TLS handshake, the two communicating sides exchange messages to acknowledge each other, verify each other, establish the cryptographic algorithms they will use, and agree on session keys.
When does a TLS handshake occur?
A TLS handshake takes place whenever a user navigates to a website over HTTPS and the browser first begins to query the website’s origin server. A TLS handshake also happens whenever any other communications use HTTPS, including API calls and DNS over HTTPS queries.
TLS handshakes occur after a TCP connection has been opened via a TCP handshake
What are the steps to obtain and install an SSL Certificate for a Windows hosted website?
Why does APIs need SSL certificates?
In short, to avoid criminals from intercepting traffic. If your API server has a certificate installed it means that the communication between the server and the client is secured. A “handshake” occurs and the API server knows that the traffic can be trusted and will not be inspected or injected by a malicious party.
When you have an API server or website with multiple endpoints running, or multiple urls, how do you install a certificate?
What is an SSL Authority
What details are typically included in an SSL sertificate?
- The domain name that the certificate was issued for
- Which person, organization, or device it was issued to
- Which Certificate Authority issued it
- The Certificate Authority’s digital signature
- Associated subdomains
- Issue date of the certificate
- The expiry date of the certificate
- The public key (the private key is not revealed)
What are the different types and validation levels of SSL sertificates?
There are several different types of SSL certificates. One certificate can apply to a single website or several websites, depending on the type:
Single-domain: A single-domain SSL certificate applies to only one domain (a “domain” is the name of a website, like www.cloudflare.com).
Wildcard: Like a single-domain certificate, a wildcard SSL certificate applies to only one domain. However, it also includes that domain’s subdomains. For example, a wildcard certificate could cover www.cloudflare.com, blog.cloudflare.com, and developers.cloudflare.com, while a single-domain certificate could only cover the first.
Multi-domain: As the name indicates, multi-domain SSL certificates can apply to multiple unrelated domains.
SSL certificates also come with different validation levels. A validation level is like a background check, and the level changes depending on the thoroughness of the check.
**Domain Validation: **This is the least-stringent level of validation, and the cheapest. All a business has to do is prove they control the domain.
**Organization Validation: **This is a more hands-on process: The CA directly contacts the person or business requesting the certificate. These certificates are more trustworthy for users.
**Extended Validation: **This requires a full background check of an organization before the SSL certificate can be issued.
What is meant by a protocal in computing?
Protocol, in computer science, a set of rules or procedures for transmitting data between electronic devices, such as computers.
In order for computers to exchange information, there must be a preexisting agreement as to how the information will be structured and how each side will send and receive it.
What is the difference between TLS and HTTPS?
HTTPS is an implementation of TLS encryption on top of the HTTP protocol, which is used by all websites as well as some other web services. Any website that uses HTTPS is therefore employing TLS encryption.
How do you obtain an SSL Certificate?
obtained directly from a Certificate Authority (CA)
- Prepare by getting your server set up and ensuring your WHOIS record is updated and matches what you are submitting to the Certificate Authority (it needs to show the correct company name and address, etc.).
- Generating a Certificate Signing Request (CSR) on your server. This is an action your hosting company can assist with.
- Submitting this to the Certificate Authority to validate your domain and company details.
- Installing the certificate they provide once the process is complete.
Once obtained, you need to configure the certificate on your web host or on your own servers if you host the website yourself.
Can an SSL certificate be used on multiple servers?
It is possible to use one SSL certificate for multiple domains on the same server. Depending on the vendor, you can also use one SSL certificate on multiple servers. This is because of Multi-Domain SSL certificates, which we discussed above.\
As the name implies, Multi-Domain SSL Certificates work with multiple domains. The number is left up to the specific issuing Certificate Authority. A Multi-Domain SSL Certificate is different from a Single Domain SSL Certificate, which – again, as the name implies – is designed to secure a single domain
What is a TPC Handshake?
TCP (Transmission Control Protocol) uses a three-way handshake (aka TCP-handshake, three message handshake, and/or SYN-SYN-ACK) to set up a TCP/IP connection over an IP based network.
The three messages transmitted by TCP to negotiate and start a TCP session are nicknamed SYN, SYN-ACK, and ACK for SYNchronize, SYNchronize-ACKnowledgement, and ACKnowledge respectively. The three message mechanism is designed so that two computers that want to pass information back and forth to each other can negotiate the parameters of the connection before transmitting data such as HTTP browser requests.
The host, generally the browser, sends a TCP SYNchronize packet to the server. The server receives the SYN and sends back a SYNchronize-ACKnowledgement. The host receives the server’s SYN-ACK and sends an ACKnowledge. The server receives ACK and the TCP socket connection is established.
This handshake step happens after a DNS lookup and before the TLS handshake, when creating a secure connection. The connection can be terminated independently by each side of the connection via a four-way handshake.
