Skip to main content

Day 20: How SSL/TLS Works 🔒

 Day 20: How SSL/TLS Works 🔒

Understanding how data is secured over the internet is non-negotiable for any tech professional. Today was a deep dive into SSL/TLS, the protocol that puts the "S" in HTTPS.

Key Takeaways:
1️⃣ HTTP vs. HTTPS: HTTP sends all data (even passwords!) in plain text, making it easy for hackers to "sniff." sniffing. HTTPS fixes this by using TLS (Transport Layer Security) to create an encrypted, secure channel between your browser and the server.
2️⃣ Hybrid Encryption: TLS cleverly uses both types of encryption. It starts with slower Asymmetric Encryption (a Public/Private key pair RSA) to only verify the server's identity (via a Certificate) and securely exchange a new, temporary Symmetric Key.
3️⃣ The Handshake: This initial process is the "TLS Handshake." Once complete, the rest of the session uses that super-fast Symmetric Key ⚡ to encrypt all the actual data (your logins, form data, etc.).
4️⃣ Simple Analogy: A server's Public Key is like an open padlock 🔓 it gives to everyone (inside its Certificate). You put your secret session key in a box, lock it with their padlock, and send it. Only the server has the matching Private Key 🔑 to open the box.
5️⃣ Why this matters: This is the foundation of internet trust. It prevents Man-in-the-Middle (MITM) attacks, protects user credentials 🛡️, and ensures data integrity. In DevOps, we are responsible for managing and automating these certificates for our services (e.g., in Kubernetes Ingress or Load Balancers) to keep our applications secure.



Day 20: How SSL/TLS Works 🔒

This document explains the "why" and "how" of SSL/TLS (Secure Sockets Layer / Transport Layer Security), the technology that powers HTTPS.

The Problem: The Insecure Internet (HTTP)

In a basic client-server model, you (the client) send requests (like GETPOSTPUT) to a server.

When you use plain HTTP (Hypertext Transfer Protocol), this communication is in plain text.

Let's say you try to log in to a website:

  1. Client ➡️ Server: POST /login (Username: "gaurav", Password: "pa$$w0rd123")
  2. Server ➡️ Client: HTTP 200 OK (Here's your data...)

hacker ðŸ•µ️ "sniffing" the network (e.g., on the same public Wi-Fi) can read this entire request. They now have your credentials. This is especially dangerous for banking, insurance, or any confidential site.

Attempt 1: Symmetric Encryption (A Good First Try)

What if we encrypt the data?

  • Idea: We can use a single symmetric key (a secret password) that both the client and server know.
  • Process:
    1. Client: Encrypts the login data with my_secret_key.
    2. Client ➡️ Server: "Here is the encrypted data."
    3. Client ➡️ Server: "P.S. The key to decrypt it is my_secret_key."
  • The Flaw: The hacker simply sniffs the network, intercepts the key, and then decrypts the data. We're back to square one.

Attempt 2: Asymmetric Encryption (Getting Warmer)

This method uses a key pair:

  1. Public Key 🔑 (Sharable): This key can only encrypt data. You can give it to anyone.
  2. Private Key 🤫 (Secret): This key can only decrypt data encrypted by its matching public key. You never share this.

Now, the server can generate a key pair.

  • Process:
    1. Server: Generates a public/private key pair (e.g., using openssl).
    2. Client: "Hi, I want to talk."
    3. Server ➡️ Client: "Great! Here is my Public Key ðŸ”‘."
    4. Client: "Awesome. I will generate a new Symmetric Key (let's call it the session_key)."
    5. Client: "I'll use your Public Key to encrypt my session_key."
    6. Client ➡️ Server: "Here is the encrypted session_key."
    7. Server: "Got it. I'll use my Private Key ðŸ¤« to decrypt it."
    8. Result: Both client and server now have the same secret session_key!

All future communication is encrypted using this fast symmetric session_key. The hacker can't intercept it, because even if they steal the encrypted package (in step 6), they don't have the server's private key to decrypt it.

The New Problem: The "Man-in-the-Middle" (MITM) Attack

What if the hacker is more clever?

  1. Client: "Hi Server, I want to connect."
  2. Hacker: (Intercepts the request) "Hi Server, I want to connect."
  3. Server ➡️ Hacker: "Hi! Here is my REAL Public Key ðŸ”‘."
  4. Hacker: (Saves the real key). "Hi Client! I'm the server. Here is my FAKE Public Key ðŸ”‘."
  5. Client: "Looks good! I'll encrypt my session_key with your FAKE Public Key."
  6. Client ➡️ Hacker: "Here is the encrypted session_key."
  7. Hacker: (Uses their FAKE Private Key ðŸ¤« to decrypt it). "Aha! I have the session_key!"
  8. Hacker: (Re-encrypts the session_key with the REAL Public Key).
  9. Hacker ➡️ Server: "Here is the encrypted session_key."

Result: The hacker is now an invisible proxy. They decrypt all your requests, read them, re-encrypt them, and send them to the server. You think you're secure, but you're not.

The Real Solution: SSL/TLS and Certificates 📜

How does the client know the Public Key it received actually belongs to the real server?

Answer: A Certificate Authority (CA) — a globally trusted third party (like DigiCertLet's Encrypt, etc.).

This introduces trust.

  1. Server: The server administrator (e.g., a DevOps engineer) generates a CSR (Certificate Signing Request). This file contains the server's domain name (google.com) and its Public Key.
  2. Server ➡️ CA: "Hi [DigiCert], please validate that I own google.com and sign my CSR."
  3. CA: The CA performs validation (e.g., checks DNS records, sends an email) to prove the server's identity.
  4. CA ➡️ Server: "All good! ✅ Here is your official, signed SSL Certificate."

This certificate is a public document that essentially says: "We, [DigiCert], swear that the public key inside this file belongs to [https://www.google.com/url?sa=E&source=gmail&q=google.com]."

The Final HTTPS Handshake (Putting It All Together)

Now, let's try that connection again, this time with HTTPS:

  1. Client (Browser): "Hi Server, I want to connect securely." (This is the Client Hello)
  2. Server: "Hi! Here is my SSL Certificate ðŸ“œ."
  3. Client (Browser): "Hmm... let me check this certificate."
    • "Is it for the correct domain (google.com)? Yes."
    • "Is it expired? No."
    • "Is it signed by a CA I trust (like DigiCert)? Yes! My browser has a built-in list of trusted CAs."
  4. Client (Browser): "I trust you! ✅ This public key is legit."
  5. Client: "I will now generate a random Symmetric Key (the session_key)."
  6. Client: "I'll encrypt this session_key using the server's trusted Public Key (from the certificate)."
  7. Client ➡️ Server: "Here is the encrypted session_key."
  8. Server: "Got it. I'll use my Private Key ðŸ¤« to decrypt it."
  9. Result: Both client and server securely established a shared session_key.
  10. Connection Secured: All further GET/POST requests are now encrypted with this symmetric key.

If a hacker tries the MITM attack again (Step 4 in that scenario), they can't provide a valid certificate for google.com signed by a trusted CA. The browser will immediately stop the connection and show a big red security warning ⚠️.

What about Intranet / Internal Sites?

For internal-only applications (e.g., a company dashboard), you don't need a public CA. The organization can create its own Custom CA. This custom CA certificate is then manually installed on all employee computers, telling their browsers to trust it. The process is the same, but the "root of trust" is the company itself, not a public entity.

Comments

Post a Comment

Popular posts from this blog

  "Cloud zone insights not available yet, please check after some time" message on Aria Automation https://knowledge.broadcom.com/external/article?articleNumber=314894 Products VMware Aria Suite Issue/Introduction Symptoms: The certificate for Aria operations has been replaced since it was initially added to Aria Automation as an integration. When accessing the Insights pane under  Cloud Assembly  ->  Infrastructure  ->  Cloud Zone  ->  Insights  the following message is displayed:   "Cloud zone insights not available yet, please check after some time." The  /var/log/services-logs/prelude/hcmp-service-app/file-logs/hcmp-service-app.log  file contains ssl errors similar to:   2022-08-25T20:06:43.989Z ERROR hcmp-service [host='hcmp-service-app-xxxxxxx-xxxx' thread='Thread-56' user='' org='<org_id>' trace='<trace_id>' parent='<parent_id>' span='<span_id>'] c.v.a.h.a.common.AlertEnu...
Post a Comment
Read more
  Scheduled workflows fail post upgrade of VMware Aria Automation/VMware Aria Orchestrator to version 8.18 Issue/Introduction Workflows scheduled in the VMware Aria Orchestrator fail after upgrading to VMware Aria Automation/VMware Aria Orchestrator version 8.18. The same workflows run successfully when executed manually (without scheduling). Environment   It affects both Standalone VMware Aria Orchestrator and embedded VMware Aria Orchestrator. Cause The issue is due to regressions in the VMware vCenter (VC) plugin on VMware Aria Automation/VMware Aria Orchestrator 8.18. Resolution This is a known issue with the VMware Aria Automation/VMware Aria Orchestrator 8.18 and the workaround is to update the VC plugin on VMware Aria Orchestrator with the latest version (attached with the KB). Alternatively, wait for the official fix in VMware Aria Automation/VMware Aria Orchestrator 8.18.1. Workaround :               Note: Take (non-memory)  sna...
Post a Comment
Read more

Top 10 high-level EC2 scenario-based questions to challenge your AWS & DevOps skills

 Here are 10 high-level EC2 scenario-based questions to challenge your AWS & DevOps skills 1. Your EC2 instance is running but you can’t connect via SSH. What troubleshooting steps will you take?  Check Security Group inbound rules (port 22 open to your IP).  Verify Network ACLs (NACLs not blocking inbound/outbound).  Confirm instance’s Public IP / Elastic IP.  Validate Key Pair and correct permissions on .pem.  Ensure SSM Agent is installed (Session Manager can help).  Check system logs on the console for OS-level issues. 2. You terminated an EC2 instance by mistake. How can you prevent this in the future? Enable Termination Protection in EC2 settings. Use IAM permissions to restrict TerminateInstances. Tag critical instances and set resource policies. 3. Your EC2 instance needs to access an S3 bucket securely. What’s the best way to configure this? Best practice: Attach an IAM Role with least privilege policy to the EC2 instance. Avoid hardcoding...
Post a Comment
Read more