When dealing with customer information, it is vitally important to ensure that data is never exposed to outside observers.
At Charm, data is only ever transferred over encrypted channels. Primary utilising TLS1.3 for our web-facing services and TLS1.2 for some legacy services.
Staff Summaries
Member A
SSL / TLS is a robust web browsing mechanism that uses the HTTPS protocol. You can protect your personal information and security information from risks such as spoofing, eavesdropping, and falsification. A key and certificate are required to use SSL / TLS. Certificates are issued by certificate authorities, and there are domain authentication, corporate existence authentication, and EV authentication in ascending order of security level.
Member D
- Communication process to encrypt data
- Server sends the public key and SSL server certificate to browser
- Browser sends the common key encrypted with the public key to server
- Server decrypts the common key with the private key
- Server and browser send data encrypted with the common key and decrypt with the common key
Member C
Introduction
This document describes SSL/TLS.
What is SSL/TLS?
It is a secure communication method between the web server and the web client (browser).
In the world of the Internet, it started with SSL 2.0, followed by SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2 and now TLS 1.3.
TLS1.1, TLS1.1, TLS1.2, and TLS1.3. Even today, when TLS1.3 is recommended, the name is often referred to as SSL or SSL/TLS.
In addition, TLS1.2 or earlier is deprecated due to its vulnerabilities.
Secure communication method of SSL
This section explains the flow of opening web services to the Internet and the introduction of SSL.
How to open your web services to the public via HTTP (non-SSL)
The Internet as a way to publish web services
You can create a website, obtain a domain name, and open it to the public via HTTP (non-SSL).
Dangers of releasing services over HTTP (non-SSL)
Publishing over HTTP has the risk of “spoofing”, “tampering” and “eavesdropping”.
This is an uncomfortable Internet service for users who enter their personal information.
Security of publishing services using HTTPS (SSL)
In order to use these services safely, HTTPS (SSL) is required
When you install the SSL server certificate to a third party such as VeriSign
Apply for the issuance of a digital certificate.
System for publishing web services using HTTPS (SSL)
Create a website and acquire a domain name, up to this point it’s the same as HTTP (non-SSL).
After that, you can compare the amounts and services of third-party providers of SSL services and create and submit a CRS (Request for Signature) on the server in accordance with the third party’s application procedures.
If the application is approved, we will install the certificate on your web server such as IIS or Apache.
During the installation, the HTTP (SSL) service will be enabled and the service will be made public.
After installation, you will have to update the certificate periodically and deal with TLS version upgrades.
Mechanism for users to connect to HTTPS(SSL)
The following flow is checked in an instant and communication is started.
- The user searches for a web service on the browser.
- Access to the corresponding web service (connection request)
- Send the public key of the server certificate from the server to the browser.
- The client verifies the certificate with the browser’s root certificate. You will be warned if your certificate has expired or otherwise expired. In some cases, security software such as ESET may check the certificate through an intermediary.
- The client encrypts the public key in the server certificate and sends it to you.
- The server decrypts the received symmetric key
- Start communication
The abolition of HTTP (non-SSL) and the trend toward HTTPS (SSL)
HTTP (non-SSL) operations can be dangerous and allow users to use the Internet with confidence
HTTPS (SSL) is being recommended.
If you are using HTTP (non-SSL) even if the homepage of the website is authenticated with HTTPS (SSL), you can use.
Always-on SSL is also recommended because it reduces security.
Points of SSL/TLS
Third-party certifiers will need to be reviewed, and periodic certificate updates and TLS upgrades will be required.
Member D
Originally developed by the now (mercifully) defunct Netscape back in 1994 to ensure secure communications between client and server on the web. By secure, communications are encrypted to that no-one can eavesdrop on messages nor insert messages of their own.
Setting up a secure connection between client and server requires both sides to have public/private key encryption capabilities.
Public/Private Key encryption
Public/Private keys are generated together. The public key is exactly as it’s name describes: put it up on the web/wherever where anyone can read it. The owner of the public key keeps the associated private key secret. The crucial difference in operation is that anyone can use the public key to encrypt a message, but the key does not contain the information to decrypt it. Only the private key does.
In practice,
So: A wants to send a message to B
A takes B’s public key, and uses it to encrypt the message.
The message can now be sent to B by whatever means available. If it’s open or unsecured, never mind, it’s encrypted so it’s gibberish to anyone who reads it. All that can be known is who sent it and to whom.
B receives the message, and using his private key, can now decrypt it and read the original message.
There is a flaw: the original request for A to find B’s public key cannot be encrypted as A obviously doesn’t know what the key is yet. A malicious person, ‘C’ might spot this request and replace B’s own public key with his own. A receives C’s key instead, and is now unknowingly sending messages to C.
To ensure the public key that A receives really did originate from B, B needs to prove he is who he really is by possessing an SSL Certificate. SSL Certificates are issued by a 3rd party SSL Certificate Authority and only after B has gone after numerous security checks for proof of identity. In practice, a certificate is a chunk of text hosted on B’s website identifying B and includes B’s public key and, just as important, the issuing authority. Armed with this, A can use this information to check B’s credentials with the originating authority for confirmation of identity. A now has proof from the authority that B is who he is and can now accept B’s public encryption key as granted.