SSL vs TLS

TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data encryption and authentication between applications in scenarios where that data is being sent across an insecure network, such as checking your email (How does the Secure Socket Layer work?). The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1. With this said though, is there actually a difference between the two?

While SSL and TLS differ in ways that make them inoperable with each other, they are generally considered equal in terms of security. The main difference is that, while SSL connections begin with security and proceed directly to secured communications, TLS connections first begin with an insecure “hello” to the server and only switch to secured communications after the handshake between the client and the server is successful. If the TLS handshake fails for any reason, the connection is never created.

Both Internet security protocols ensure that your data is encrypted as it is transmitted across the Internet.  They also both enable you to be sure that the server that you are communication with is the server you intend to contact and not some “middle man eavesdropper”.  This is possible because servers that support SSL and TLS must have certificates issued to them by a trusted third party, like Verisign or Thawte.  These certificates verify that the domain name they are issued for really belongs to the server.  Your computer will issue warnings to you if you try to connect to a server and the certificate that it gets back is not trusted or doesn’t match the site you are trying to connect to.

If you are mostly concerned about your level of security, you can’t really go wrong choosing either SSL or TLS.

What is HTTP 404?

Hypertext Transfer Protocol (HTTP) 404 error, also commonly known as the 404 Page Not Found error, is a response code indicating that the client was able to reach the desired server but could not find the page or file for which it was looking. In simpler terms, the Internet browser was able to connect to the website in question, but the requested page was not found.

Every time a request is made from a client to a server, the HTTP protocol sends what is called HTTP headers with a status code. For a normal website, the status code is “200 OK,” which is the standard response for successful HTTP requests. Other status codes might be displayed if the website is redirected.

Each numeral in an HTTP 404 error means something. The first numeral “4” indicates that a client error has occurred, so the server is saying that there was an error on the client’s end, such as a typo. It also indicates that the error might not be permanent. The middle “0” indicates a general syntax error. The last “4” indicates which particular error was made out of the 400 client error group, which includes “400 Bad Request,” “401 Unauthorized” and “403 Forbidden.”

What is an SSL Certificate?

A secure sockets layer (SSL) certificate is a digitally signed credential, which is issued by a credentialing agency for a specific organization’s website. SSL certificates are used in Internet technology to ensure the safety of transmissions between a web browser and a server. A browser and server exchange information that indicates that the web server is valid, and the server establishes a secure connection. Users can check their browser’s appearance to determine whether they are on a secure connection.

Any organization that would like to secure its web transmissions will contact a credentialing agency, called a certificate authority, to buy an SSL certificate. The certificate authority, which should be a trusted organization itself, will verify the identity and validity of the requesting organization before issuing a certificate. After a certificate is granted, it is installed on the organization’s web server, and the private and public keys used in encrypting are created.

If a user browses to a website, the browser requests the identity of the web server. The server returns a copy of its SSL certificate. After the certificate is returned, the browser then determines whether the certificate should be trusted. If the browser is uncertain, it might display a message to the user. The user can then examine the certificate and decide whether to continue.

When the browser trusts the SSL certificate, the browser responds to the server without requiring any action from the user. The server will acknowledge the browser’s response, and it starts a secure session. Transmissions shared from here are encrypted, so they are unreadable to a hacker.

The use of SSL certificates is important in fostering user confidence in websites. Certificates are often used on ecommerce sites, where users might be sending credit card information. Use is also essential for financial services websites, such as online banking and payment fulfillment sites. Other sites that might request personal information such as addresses, birth dates or health information will also typically use SSL certificates.

Users might wish to verify that they are on secure websites before sending private information. To verify, the user can examine the browser’s address bar. The address will usually begin with “https” instead of “http.” In this case, “https” refers to the term “hypertext transfer protocolsecure.” Different browsers might also use other methods of indicating to a user that he or she is visiting a site using an SSL certificate, such as a displaying a lock or information about the secure connection in the address bar or status bar.

HTTP vs HTTPs

(http) is a system for transmitting and receiving information across the Internet. Http serves as a request and response procedure that all agents on the Internet follow so that information can be rapidly, easily, and accurately disseminated between servers, which hold information, and clients, who are trying to access it. Http is commonly used to access html pages, but other resources can be utilized as well through http. In many cases, clients may be exchanging confidential information with a server, which needs to be secured in order to prevent unauthorized access. For this reason, https, or secure http, was developed by Netscape  to allow authorization and secured transactions.

In many ways, https is identical to http, because it follows the same basic protocols. The http or https client, such as a Web browser, establishes a connection to a server on a standard port. When a server receives a request, it returns a status and a message, which may contain the requested information or indicate an error if part of the process malfunctioned. Both systems use the same Uniform Resource Identifier (URI) scheme, so that resources can be universally identified. Use of https in a URI scheme rather than http indicates that an encrypted connection is desired.

There are some primary differences between http and https, however, beginning with the default port, which is 80 for http and 443 for https. Https works by transmitting normal http interactions through an encrypted system, so that in theory, the information cannot be accessed by any party other than the client and end server. There are two common types of encryption layers: Transport Layer Security (TLS) and Secure Sockets Layer (SSL), both of which encode the data records being exchanged.

When using an https connection, the server responds to the initial connection by offering a list of encryption methods it supports. In response, the client selects a connection method, and the client and server exchange certificates to authenticate their identities. After this is done, both parties exchange the encrypted information after ensuring that both are using the same key, and the connection is closed. In order to host https connections, a server must have a public key certificate, which embeds key information with a verification of the key owner’s identity. Most certificates are verified by a third party so that clients are assured that the key is secure.

Https is used in many situations, such as log-in pages for banking, forms, corporate log ons, and other applications in which data needs to be secure. However, if not implemented properly,https is not infallible, and therefore it is extremely important for end users to be wary about accepting questionable certificates and cautious with their personal information while using the Internet.

http://www.wisegeek.com/what-is-the-difference-between-http-and-https.htm

Security in web applications

Some common terms in web application security testing:

Password Cracking:  In order to log in to the private areas of the application, one can either guess a username/ password or use some password cracker tool for the same. Lists of common usernames and passwords are available along with open source password crackers.  Enforce a complex password (e.g. with alphabets, number and special characters, with at least a required number of characters)

URL manipulation:  Check all ranges of input variables. Dont accept values which are not needed by the application. Avoid forming dynamic variables.

SQL Injection: This is the process of inserting SQL statements through the web application user interface into some query that is then executed by the server.  Escape the quotes. Use mysql_escape_string or equivalent.

Cross Site Scripting:  When a user inserts HTML/ client-side script in the user interface of a web application and this insertion is visible to other users, it is called XSS. All HTML tags should be scrubbed from the variables. Dont use eval directly on any user input.

Spoofing: The creation of hoax look-alike websites or emails is called spoofing.  Use identity images like the ones Yahoo! and bank websites are using so that user is confident he is logging on to the correct system.

Crumbs: To ensure user has come from a  previous page in the flow and not directly.

PHP Array questions

1) How can I create an array of numbers easily?
If you want to create an array of consecutive numbers in PHP, then you can do it the long hand way…

<?php
$myarray = array(1,2,3,4,5,6,7);
?> 

Or you can do it the easy way, using the range function, which you simply pass the first and last value in the consecutive range. So this is equivalent to the above code:

<?php
$myarray = range(1,7);
?> 

… and when you want an array containing the numbers 1 to a 1,000 – then you’ll be glad you learned about this function!

2) How do you remove duplicate values from an array?
Duplicate values are easily removed using the array_unique function:

<?php
$values = array("banana","apple","pear","banana");
$values = array_unique($values);
print_r($values);
?> 

Outputs:

Array
(
[0] => banana
[1] => apple
[2] => pear
)

Initiating the tech blog

This blog will contain the tech things of interest to me and Dimple.

The software industry is growing rapidly conceptwise, and its becoming an information overload. This is an attempt to organize some of that information for our own personal sake.

Some of the things noted here may seem downright simple and silly.  But with the amount of things that change everyday, remembering even the simple things becomes a hard task.