Skip to content

Instantly share code, notes, and snippets.

@thecatfix

thecatfix/SSLTLS.md

Last active November 15, 2024 16:31
Show Gist options
  • Save thecatfix/c12153ec5e8083ad089da46bedea1093 to your computer and use it in GitHub Desktop.
Save thecatfix/c12153ec5e8083ad089da46bedea1093 to your computer and use it in GitHub Desktop.
Download ZIP
Certificates - Why They are Important
Raw
SSLTLS.md

Why Do I Need A Certificate For A Website

Interesting to discover that another acronym that I glossed over actually ties back to my interest in the history of the internet and the keys of the internet

What is SSL/TLS. Why don't we talk about it more often

It's the public key private key converstation from the 7 keys of the internet conversation on Waveform podcast https://share.snipd.com/snip/fa0a4118-43ec-4f78-b337-641873ba6b8c

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that secure communications over a network, such as the internet. They ensure that data sent between a user’s browser and a website (or between two systems) is encrypted, authenticated, and tamper-proof.

Problem SSL and TLS solve

https://share.snipd.com/snip/0d6760a0-3f7c-47c4-86ea-c7d5576360a0

The early internet, as a research project, didn't have security concerns because it was primarily used by governments, universities, and scientists. The introduction of money and commerce attracted nefarious actors who sought to exploit vulnerabilities. ICANN recognized the importance of trust and security for the internet's widespread adoption. If users couldn't trust the authenticity of websites, they wouldn't share information or conduct transactions, hindering the internet's growth. It's crucial to assure users they're logging into legitimate websites, not phishing sites that steal information.

How SSL/TLS Works Handshake Process:

When a client (like a web browser) connects to a server (like a website), they perform an SSL/TLS handshake to establish a secure connection. This involves: Exchanging cryptographic keys. Authenticating the server (and optionally the client). Agreeing on encryption methods. Certificate Validation:

The server presents an SSL/TLS certificate issued by a trusted Certificate Authority (CA) to prove its identity. The client verifies the certificate to ensure it’s authentic and matches the domain. Secure Communication:

Once the handshake is complete, the client and server use a shared encryption key to encrypt and decrypt data during the session. Differences Between SSL and TLS

SSL:

SSL was the original protocol developed by Netscape in the 1990s. It has known vulnerabilities and is no longer considered secure. SSL versions (2.0, 3.0) are deprecated.

TLS:

TLS is the successor to SSL and offers improved security and performance. Current versions are TLS 1.2 (widely used) and TLS 1.3 (newer and more secure). When people refer to “SSL,” they often mean “TLS,” as TLS has replaced SSL in most modern applications.

Why SSL/TLS is Important

  1. Protects User Data:

Prevents sensitive information like passwords, credit card details, and personal data from being intercepted.

  1. Prevents Man-in-the-Middle (MITM) Attacks:

Secures data against attackers who might try to intercept or alter communications between the client and server.

  1. Builds Trust:

Websites using SSL/TLS display a padlock icon in the browser’s address bar, reassuring users that their connection is secure. Enables HTTPS:

  1. SSL/TLS is the backbone of HTTPS (Hypertext Transfer Protocol Secure), which is the secure version of HTTP.

Complies with Standards and Regulations: Many regulatory frameworks (e.g., GDPR, PCI DSS) require encryption for sensitive data.

How SSL/TLS is Used

  1. Web Browsing: Ensures secure access to websites via HTTPS. Example: https://example.com

  2. Email Services:

Secures communication between email clients and servers (e.g., SMTP, IMAP, POP).

  1. APIs and Applications:

Protects data transmitted between applications and backend services.

  1. VPNs and Remote Access:

Secures connections for remote workers accessing internal networks.

How to Implement SSL/TLS

  1. Obtain an SSL/TLS Certificate: Use a trusted Certificate Authority (CA) like Let’s Encrypt, AWS ACM, or Google Certificate Manager.

  2. Install the Certificate: Install the certificate on your server or load balancer.

  3. Configure HTTPS:

Redirect HTTP traffic to HTTPS and enforce secure connections.

  1. Keep TLS Versions Up to Date: Use TLS 1.2 or TLS 1.3 and disable older, insecure protocols like SSL 3.0 or TLS 1.0.

How to Set Up Certificates in GCP

Create a Managed Certificate in GCP:**

  1. Go to the Google Cloud Console.
  2. Navigate to Certificate Manager.
  3. Create a new Managed Certificate.
  4. Add the domain(s) you want to secure (e.g., example.com, <www.example.com>).

DNS Verification

GCP will provide DNS records to verify domain ownership. Add these DNS records to your DNS provider (Google Cloud DNS or Route 53). Bind the Certificate:

Once the certificate is issued, attach it to your

  • GCP Load Balancer
  • App Engine
  • Cloud Run service
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment