{"id":288,"date":"2016-06-04T14:20:37","date_gmt":"2016-06-04T20:20:37","guid":{"rendered":"https:\/\/www.businesstechnologyassociates.com\/blog\/?p=288"},"modified":"2022-08-17T17:26:42","modified_gmt":"2022-08-17T23:26:42","slug":"web-security-for-all","status":"publish","type":"post","link":"https:\/\/www.businesstechnologyassociates.com\/blog\/2016\/06\/web-security-for-all\/","title":{"rendered":"Web Security for All"},"content":{"rendered":"<p>Accessing a web site sends information back and forth as you access pages and click on links.\u00a0 This data travels through numerous computers on its way to the web site&#8217;s server and to your computer.\u00a0 This varies depending on your Internet provider and the provider of the web site.\u00a0 Recently, <strong>I traced my access to this site and counted 13 computers passing my data, to and fro.<\/strong>\u00a0 And I only control one of them.\u00a0 Many more people have access to these 13 computers and their connections.<\/p>\n<p>The <a href=\"https:\/\/en.wikipedia.org\/wiki\/Hypertext_Transfer_Protocol\" target=\"_blank\" rel=\"noopener\">Hypertext Transfer Protocol<\/a> (HTTP) is the foundation of data communication for the World Wide Web.\u00a0 <a href=\"https:\/\/en.wikipedia.org\/wiki\/HTTPS\" target=\"_blank\" rel=\"noopener\">HTTP Secure<\/a> (HTTPS) provides authentication of the website and associated web server and provides bidirectional encryption of communications between a client and server, which <strong>protects against eavesdropping and tampering with or forging the contents of the communication<\/strong>. In practice, this provides a reasonable guarantee that one is communicating with the website and ensuring that the contents of communications between the user and site cannot be read or forged by any third party.<\/p>\n<p><strong>HTTPS is especially important over insecure networks (such as public WiFi access points)<\/strong>, as anyone on the same local network can <a title=\"Packet analyzer\" href=\"https:\/\/en.wikipedia.org\/wiki\/Packet_analyzer\">packet sniff<\/a> and discover sensitive information (user name, password, etc.) not protected by HTTPS.<\/p>\n<p>The security of HTTPS is that of the added <a href=\"https:\/\/en.wikipedia.org\/wiki\/Transport_Layer_Security\" target=\"_blank\" rel=\"noopener\">Transport Layer Security<\/a> (TLS) protocol, which uses <a href=\"https:\/\/en.wikipedia.org\/wiki\/Public-key_cryptography\" target=\"_blank\" rel=\"noopener\">public key encryption<\/a> to generate a session key which is then used to encrypt the data flow between client and server. To validate public keys, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Certificate_authority#Providers\" target=\"_blank\" rel=\"noopener\">certificate authorities<\/a> (CA) and public key certificates are necessary to verify the relation between the certificate and its owner, as well as to generate, sign, and administer the validity of certificates. Certificate authorities are trusted by web browser creators to provide valid certificates.\u00a0 The top three certificate authorities, in 2016, issued over 75% of all certificates in use.<\/p>\n<ol>\n<li><a href=\"https:\/\/www.instantssl.com\" target=\"_blank\" rel=\"noopener\">Comodo CA<\/a> &#8211; certificates for $63.95 to $809.10\/year.<\/li>\n<li>Symantec Corp. &#8211; $399.00\/year.<\/li>\n<li>GoDaddy &#8211; $69.99 to $249.99\/year.<\/li>\n<\/ol>\n<p>As of April 5, 2016, 41.7% of the Internet&#8217;s 141,160 most popular websites have a secure implementation of HTTPS.\u00a0 That adds up to a lot of revenue for CAs using standard protocols and freely available software. The certificate costs are only a few cents to generate a certificate and a few dollars to administer.\u00a0 That makes selling TLS certificates one of the biggest cash cows in the world.\u00a0 <strong>All the certificates are exactly the same!<\/strong>\u00a0 Otherwise they would not work in our browsers.\u00a0 <strong>The only difference in certificates is marketing hype.<\/strong>\u00a0 Even Comodo CA sells cheaper certificates for $12.00\/year through their <a href=\"https:\/\/www.namecheap.com\/security\/ssl-certificates\/comodo\/positivessl.aspx\" target=\"_blank\" rel=\"noopener\">PositiveSSL<\/a> brand.<\/p>\n<p>Now there are <strong>free certificates<\/strong> available issued by <a href=\"https:\/\/letsencrypt.org\/\" target=\"_blank\" rel=\"noopener\">Let\u2019s Encrypt<\/a> certificate authority sponsored by Cisco, Hewlett Packard Enterprise, <a href=\"https:\/\/www.mozilla.org\/en-US\/\" target=\"_blank\" rel=\"noopener\">mozilla<\/a>, and facebook among others.\u00a0 These certificates work the same as the certificates costing much more.\u00a0 You can verify this using Qualys SSL Labs&#8217; <a href=\"https:\/\/www.ssllabs.com\/ssltest\/analyze.html?d=www.businesstechnologyassociates.com\" target=\"_blank\" rel=\"noopener\">SSL Server Test<\/a> for this site which uses a Let&#8217;s Encrypt certificate.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Accessing a web site sends information back and forth as you access pages and click on links.\u00a0 This data travels through numerous computers on its way to the web site&#8217;s server and to your computer.\u00a0 This varies depending on your Internet provider and the provider of the web site.\u00a0 Recently, I traced my access to &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/www.businesstechnologyassociates.com\/blog\/2016\/06\/web-security-for-all\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Web Security for All&#8221;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30,17,3],"tags":[],"class_list":["post-288","post","type-post","status-publish","format-standard","hentry","category-privacy","category-security","category-technology"],"_links":{"self":[{"href":"https:\/\/www.businesstechnologyassociates.com\/blog\/wp-json\/wp\/v2\/posts\/288","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.businesstechnologyassociates.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.businesstechnologyassociates.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.businesstechnologyassociates.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.businesstechnologyassociates.com\/blog\/wp-json\/wp\/v2\/comments?post=288"}],"version-history":[{"count":13,"href":"https:\/\/www.businesstechnologyassociates.com\/blog\/wp-json\/wp\/v2\/posts\/288\/revisions"}],"predecessor-version":[{"id":370,"href":"https:\/\/www.businesstechnologyassociates.com\/blog\/wp-json\/wp\/v2\/posts\/288\/revisions\/370"}],"wp:attachment":[{"href":"https:\/\/www.businesstechnologyassociates.com\/blog\/wp-json\/wp\/v2\/media?parent=288"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.businesstechnologyassociates.com\/blog\/wp-json\/wp\/v2\/categories?post=288"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.businesstechnologyassociates.com\/blog\/wp-json\/wp\/v2\/tags?post=288"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}