What’s behind the lock icon in your browser?

You repeat this many times a day, visiting websites that require you to log in with your username or email address and your password. Bank websites, social networking sites, email services, e-commerce sites and news sites. Here are just a few of the sites that use this mechanism.

Every time you log into one of these sites, you’re essentially saying, “Yes, I trust this site, so I’m willing to share my personal information with it.” This data can include your name, gender, physical address, email address, and sometimes even your credit card information.

But how do you know you can trust this site? To put it another way, how can a site protect your transactions so that you can trust it?

The purpose of this article is to explain the mechanisms for making your website secure. I’ll start by discussing the Web protocols HTTP and HTTPS, and the concept of Transport Layer Security (TLS), which is one of the encryption protocols in the Internet Protocol (IP) Layer. Then I’ll explain the Certificate Authority and self-signed certificates and how they can help protect a site. Finally, I’ll introduce some open source tools that you can use to create and manage your certificates.

Routes are protected using HTTPS

The easiest way to learn about a protected site is to observe it in interaction, and fortunately, on today’s Internet, it’s far easier to find a secure site than it is to find an insecure one. However, since you’re already on Opensource.com, which I’ll use as an example, no matter what browser you’re using, you should see a lock-like icon next to your address bar. Click on the lock icon and you should see something similar to the one below.

By default, if a website uses the HTTP protocol, it is not secure. Adding a configured certificate for routing through the site host can change the site from an insecure HTTP site to a secure HTTPS site. That lock icon usually indicates that the site is HTTPS protected.

Click on certificates to view the site’s CA, depending on your browser, you may need to download the certificate to view it.

Here you can learn about Opensource.com certificates. For example, you can see that the CA is DigiCert and is provided to Red Hat as Opensource.com.

This certificate information allows the end user to check that the site is safe to access.

Warning: If you do not see a certificate logo on the site, or if you see a logo indicating that the site is not secure – please do not log in or do anything that requires your personal data. This situation is very dangerous!

If you see a warning flag, which is rare for most sites that are open to the public, it usually means that the certificate has expired or that it is self-signed rather than issued by a trusted third party. Before we get into these topics, I want to explain TLS and SSL.

Internet protocol with TLS and SSL

TLS is the latest version of the older Secure Socket Layer protocol (SSL). The best way to understand this is to carefully understand the different protocol layers of the Internet protocol.

We know that today’s Internet is composed of six layers: physical layer, data link layer, network layer, transmission layer, security layer and application layer. The physical layer is the foundation, and this layer is closest to the actual hardware device. The application layer is the most abstract layer, the one closest to the end user. The security layer can be thought of as part of the application layer. TLS and SSL, which are encryption protocols designed to provide communication security in a computer network, reside in the security layer.

This process ensures the security and confidentiality of communication between end users using network services.

Certificate authorities and self-signed certificates

The Certificate Authority (CA) is a trusted organization that can issue digital certificates.

TLS and SSL can make connections more secure, but this encryption mechanism requires a way to verify it; This is the SSL/TLS certificate. TLS uses an encryption mechanism called asymmetric encryption, which has a pair of security keys called a private and public key. (This is a very complex topic that is beyond the scope of this article, but if you want to learn more about it, you can read “Introduction to Cryptography and Public Key Cryptography fundamentals.”) The basics you need to know are that certification authorities like GlobalSign, DigiCert, and GoDaddy, They are trusted vendors that issue certificates that can be used to verify the TLS/SSL certificates used by websites. The certificate used by the site is imported into the host server to protect the site.

However, if you just want to test a website or service in development, CA certificates may be too expensive or complex for you. You must have a trusted certificate for production purposes, but developers and webmasters need an easier way to test the site before they can deploy it into production; This is where self-signed certificates come from.

A self-signed certificate is a TLS/SSL certificate issued by the person who created it rather than a trusted CA authority. It’s easy to generate a computer-generated self-signed certificate that allows you to test a secure website without having to purchase an expensive CA-issued certificate. Although self-signed certificates are definitely not intended for use in production environments, they are a simple and flexible approach for development and testing.

Open source tool for generating certificates

Several open source tools are available to manage TLS/SSL certificates. The best known of these is OpenSSL, which is included in many Linux distributions and MacOS. Of course, you can also use other open source tools.

Tool name describe license
OpenSSL The best known open source tool for implementing TLS and cryptographic libraries The Apache License 2.0
EasyRSA A command-line utility for building PKI CAS GPL v2
CFSSL PKI/TLS Swiss Army Knife from CloudFlare BSD 2-Clause “Simplified” License
Lemur fromnetflixNetflixTLS creation tool The Apache License 2.0

If your goal is to be scalable and user-friendly, Netflix’s Lemur is an interesting choice. You can check out more about it on Netflix’s tech blog.

How do I create an Openssl certificate

You can create your own certificates, as shown in this example using Openssl to generate a self-signed certificate.

Create a private key using openssl:

openssl genrsa -out example.key 2048
Copy the code

Create a Certificate Signing Request (CSR) using the private key generated in step 1:

openssl req -new -key example.key -out example.csr -subj "/C=US/ST=TX/L=Dallas/O=Red Hat/OU=IT/CN=test.example.com"
Copy the code

Create a certificate using your CSR and private key:

openssl x509 -req -days 366 -in example.csr -signkey example.key -out example.crt
Copy the code

Learn more about Internet security

If you want to learn more about Internet security and website security, check out the Youtube video I made with this article.

  • youtu.be/r0F1Hlcmjsk

What’s your problem? Let us know in the comments.


Via: opensource.com/article/19/…

By Bryant Son, Lujun9972 translator: Hopefully2333 proofread: WXY

This article is originally compiled by LCTT and released in Linux China