WEBVTT 0 00:01.520 --> 00:06.340 In this lecture we’ll go deeper into HTTPS, HSTS 1 00:06.370 --> 00:11.790 and also take a look at the vulnerabilities of these protocols. 2 00:11.840 --> 00:20.410 We’ll see what SSL Sniffing and Stripping are and how we can downgrade HTTPS to HTTP. 3 00:20.450 --> 00:28.290 There are two available protocols used to communicate to web servers over the Internet HTTP and 4 00:28.380 --> 00:37.250 HTTPS. HTTP which comes from Hypertext Transfer Protocol communicates in clear text and that means that 5 00:37.280 --> 00:44.420 anyone between the source and the destination or in the same LAN with the victim can sniff and see 6 00:44.420 --> 00:53.780 the traffic. On the other hand HTTPS which stands for a HTTP secure is an extension of the original 7 00:53.810 --> 01:02.210 HTTP protocol and it's used for secure communication using encryption.The encryption is done using 8 01:02.240 --> 01:14.680 TLS (Transport Layer Security) which is in fact a newer version of SSL or secure socket layer. 9 01:14.920 --> 01:20.840 This is an example of a connection that uses HTTP which is not secure. 10 01:22.290 --> 01:30.570 This is the IP address of my default gateway and Chrome tells us that the connection is not secure: "your 11 01:30.570 --> 01:39.360 connection to this site is not secure"! Never connect to a website especially if there is something confidential 12 01:39.630 --> 01:41.300 using HTTP. 13 01:41.370 --> 01:42.970 You have been warned! 14 01:43.140 --> 01:48.780 An example of a connection that uses HTTPS is google.com 15 01:49.900 --> 01:58.300 The connection is secure and if I click here on this lock I see details about the certificate and the 16 01:58.300 --> 01:59.680 encryption used. 17 02:06.660 --> 02:14.790 If someone tries to sniff the traffic he will see only encrypted data which is unreadable; so use only 18 02:14.940 --> 02:23.400 HTTPS connections for data confidentiality, integrity and authentication and make always sure that 19 02:23.400 --> 02:31.110 whenever you are visiting a secure website, a lock or any visible sign confirms that the connection is 20 02:31.110 --> 02:43.130 encrypted. Otherwise someone might be eavesdropping on you! Let's move on and talk about HSTS! It stands 21 02:43.230 --> 02:52.640 for HTTP Strict Transport Security and is a security extension to HTTPS developed initially by PayPal 22 02:52.880 --> 02:56.270 and then published as an open protocol. 23 02:56.450 --> 03:06.430 It's not supported by all major browsers! Let's see, that's HSTS? It’s a web security policy mechanism that 24 03:06.430 --> 03:15.850 helps us to protect websites against protocol downgrade attacks and cookie hijacking. HSTS allows 25 03:15.910 --> 03:24.760 a web server to declare using a header named strict transport security that web browsers should interact 26 03:24.760 --> 03:34.660 with it using only authentic HTTPS connections. The HSTS domains should be loaded in what is called 27 03:34.900 --> 03:41.640 an HSTS preload list and must be supported by the browser. 28 03:41.830 --> 03:49.800 You can check if a specific domain is in the list at /hstspreload.org/ Let's 29 03:49.840 --> 03:53.120 check if Facebook.com is in the list. 30 03:57.220 --> 03:59.560 And we see its status: Facebook. 31 03:59.620 --> 04:06.430 .com is currently preloaded; it's much more difficult to attack Facebook. 32 04:06.480 --> 04:15.960 The browser will allow only authentic HTTPS connections to this domain, but audi.com is not 33 04:15.960 --> 04:16.810 reloaded. 34 04:16.860 --> 04:22.520 It's not in the list ; you can communicate with audi.com 35 04:22.560 --> 04:30.840 also using HTTP. It's possible that by the time you see this video things to be already changed and you 36 04:30.840 --> 04:32.780 might get another result. 37 04:34.210 --> 04:42.630 Okay, That's all about a HTTP, HTTPS and HSTS; in the next lecture will see what are the available 38 04:42.660 --> 04:44.920 attacks on HTTPS! 39 04:44.950 --> 04:46.300 See you in a second!