Abstracting WordPress Code to Reuse with Other CMS
When you develop a website,there are many things you need to consider. Security is also one of them. Withcyberattacks on websites rising every year, it has become an additionalresponsibility of web developers to build a solid foundation for the securityof their websites. SSL is also a part of that foundation. So, if you’re a webdeveloper, there are certain things you must know about it in order to ensure thesecurity of your websites. Here we’re going to cover those things foryou, so you can develop websites that are SSL-protected. SSL and TLS: What’s the difference First, an important fact:What we’re talking about is NOT SSL! That’s right – it’s Transfer Layer Security(TLS) protocol that secures our webpages today. The TLS is a successor to SSL3.0, and it was adopted way back in 2014 after SSL was found vulnerable toPOODLE attacks. However, SSL continued to be the mainstream term for securedata transfer protocol of Web, which is why we still talk of SSL instead ofTLS. But as a developer you should keep in mind that although we call it SSL,we’re referring to TLS. How SSL works: The TLS Handshake Now, the next importantthing for a developer to know about SSL is how it works. Basically, it works byestablishing a secure connection known as a “session” between the web browserof a user (known as “client”) and the host of a website (known as “server”). Thissecure connection is established over HTTPS protocol, and here’s how it’s done: Client Hello: Whenever a userfires any HTTPS-based URL from his/her web browser, the browser sends a “hello”message to the web server hosting that URL. This message also includes crucialdetails about the capabilities of browser, like the highest SSL version itsupports (i.e. TLS 1.0, TLS 2.0, TLS 3.0 etc), the cipher suites supported byit, and a random byte string called client random.Server Hello: Upon receivingthis message, the server sends its own “hello” message to the client. Thismessage includes information about the cipher suite chosen by the server fromlist provided by the client, a session ID, its SSL certificate, the public keyof certificate, and another random string of bytes called server random.Authentication: The client thenverifies the SSL certificate sent by the server from its Certificate Authority(CA) to ensure that the communication is happening with the actual owner of adomain name.Sending of Premastersecret: Upon successful verification of SSL certificate, the client sendsanother random string of bytes, called a Premaster secret, to theserver. This premaster secret is encrypted by the public key of SSL certificatethat was sent along with the Server Hello message.Decryption of Premastersecret: The server decrypts message received from client with its Private keyand extracts the premaster secret.Creation ofSession keys: Now the server and client both create session keys from client random,server random and premaster secret. The computation results in same output (akasame keys) on both sides.Client ready: Client sends a“finished” message to server once session keys have been created.Server ready: Server sends a“finished” message to client once session keys are created.Encryptionachieved: That’s it. Secure connection has been achieved now, and webpagesprotected with encryption can be transferred now between both client as well asserver. So that’s how a TLSHandshake helps in creation of a secure connection between client and serverover HTTPS protocol. Once this connection has been established, both client aswell as server encrypt every file and webpage before it’s sent by them. Thefiles and webpages are then decrypted by the receiving party (i.e. server orclient) using the session key. The right time to install an SSL certificate It’s also important forevery developer to know the right time of installing an SSL certificate. TheSSL certificate should be installed early…
Like to keep reading?
This article first appeared on bootstrapbay.com. If you'd like to keep reading, follow the white rabbit.