1
00:00:01,920 --> 00:00:08,070
Pay is the application layer protocol of Web sites as you probably know.

2
00:00:08,250 --> 00:00:17,770
So this is why you see Haiti T.P. slash slash flame going to be RIDO Google dot com and that will take

3
00:00:18,000 --> 00:00:22,130
a page TTP version of the Web site.

4
00:00:22,740 --> 00:00:29,970
Now if you look here it literally sends a text that looks like this to and from the servers.

5
00:00:30,180 --> 00:00:33,010
And this is the hasty ETP protocol here.

6
00:00:33,100 --> 00:00:39,600
It's saying that it's a hasty protocol it's talking about day servers and then below it you have the

7
00:00:39,600 --> 00:00:48,080
hastier mail code which is what you'll see if you look at the source code of the pages.

8
00:00:48,130 --> 00:00:54,640
It looks like there's so the GDP is in plain text.

9
00:00:54,720 --> 00:01:06,210
Now if by close this and actually go to Google and change it to Haiti GP s I am now running Hayes's

10
00:01:06,240 --> 00:01:16,590
E.P. over TLR or SSL has UDP provides the security services of Tellez because it uses tailless so data

11
00:01:16,620 --> 00:01:24,600
encryption authentication usually at the server side message integrity an optional client or browser

12
00:01:24,600 --> 00:01:32,880
authentication when you access a web site with hated CBS Web server will start the task to invoke SSL

13
00:01:33,090 --> 00:01:39,630
and protect the communication the server sends a message back to the client indicating a secure session

14
00:01:39,900 --> 00:01:45,690
should be established and the client in response sends it security parameters.

15
00:01:45,780 --> 00:01:52,260
So that means it will say I'm prepared to use this digital signature unprepared to use this key exchange

16
00:01:52,380 --> 00:01:53,310
algorithm.

17
00:01:53,310 --> 00:01:59,460
I'm prepared to use this symmetric key and the server compares those security parameters to his own

18
00:01:59,760 --> 00:02:01,090
until it finds a match.

19
00:02:01,090 --> 00:02:08,190
And this is called the hand-shaking phase the server authenticate the client by sending it a digital

20
00:02:08,190 --> 00:02:11,440
certificate which we will be covering next.

21
00:02:11,490 --> 00:02:18,030
And if the client decides to trust the server the process continues the server can require the client

22
00:02:18,030 --> 00:02:21,920
to send over a digital certificate to for mutual thanto occasion.

23
00:02:22,200 --> 00:02:23,670
But that doesn't often happen.

24
00:02:23,710 --> 00:02:31,890
But if you're looking for a full secure end to end session with authentication of yourself and the other

25
00:02:31,890 --> 00:02:39,660
side you would use certificates either side with digital signatures those digital certificate finding

26
00:02:39,810 --> 00:02:45,140
the authentication and you'll understand that a little bit more when we go to digital certificates the

27
00:02:45,170 --> 00:02:51,960
client generates a symmetric sesshin key like by using a yes and encrypts it with a serve as public

28
00:02:51,960 --> 00:02:52,440
key.

29
00:02:52,440 --> 00:02:58,080
This encrypted key is sent to the web server and they both use the symmetric key to encrypt the data

30
00:02:58,080 --> 00:02:59,900
they send back and forth.

31
00:02:59,910 --> 00:03:06,560
This is how the secure channel is established tailless requires a tailless enabled server browser and

32
00:03:06,590 --> 00:03:09,180
all modern browsers support TLR.

33
00:03:09,330 --> 00:03:16,620
As we saw on the Wikipedia page and in all of the browsers you'll see hastier CPS which will indicate

34
00:03:16,620 --> 00:03:23,940
that T.L. S is being used and you often see a padlock as well and all the browsers have some sort of

35
00:03:23,940 --> 00:03:32,960
equivalent of this in order for you to know that I hated CPS or hate ETP with T.L. less is being used.

36
00:03:33,270 --> 00:03:39,920
If this is not shown then the connection is not encrypted or authenticated and it will be sent in plain

37
00:03:39,920 --> 00:03:41,030
text.

38
00:03:41,160 --> 00:03:50,220
So just as you see here and all of the contents of the Web site just as I can see them now if HDTV is

39
00:03:50,220 --> 00:03:52,780
not used we look at a padlock here.

40
00:03:55,300 --> 00:04:02,020
We can see the technical details for what the encryption algorithms are.

41
00:04:02,080 --> 00:04:08,590
So in this case it's using less using elliptical curve with DIFI Helmar.

42
00:04:08,800 --> 00:04:19,120
The auction of rsa the symmetric key is a yes with 128 bits with a GCM mode of operation and Shaugh

43
00:04:19,120 --> 00:04:21,670
to 5 6 for data integrity.

44
00:04:21,670 --> 00:04:24,750
This had been negotiated between the client and the server.

45
00:04:24,790 --> 00:04:31,510
And if we look in why I don't watch soccer as a protocol analyzer so you can see the traffic as it goes

46
00:04:31,600 --> 00:04:32,780
in and out.

47
00:04:33,030 --> 00:04:40,950
I can see here the conversation that happened where my client or my browser is said these are things

48
00:04:40,950 --> 00:04:45,520
that I support and the server has responded.

49
00:04:47,520 --> 00:04:51,080
And say well this is what I would actually like to use.

50
00:04:52,120 --> 00:04:58,140
And then they provided the certificate with the digital signature and the public key on it.

51
00:04:59,020 --> 00:05:07,780
And on the Web site you can go to is SSL labs and if you enter in the web site or you are now of a site

52
00:05:07,780 --> 00:05:15,900
that is ruining Haiti CPS you can see more encryption options are off by that site.

53
00:05:15,960 --> 00:05:23,640
So here we can see that bank of america signature algorithm is Shaar to 5:6 with our say for the digital

54
00:05:23,640 --> 00:05:24,520
signature.

55
00:05:24,570 --> 00:05:26,940
We can see the chain of trust here.

56
00:05:26,940 --> 00:05:33,540
Bank of America's certificate a chain of trust comes down here and then we have the root certificate

57
00:05:33,540 --> 00:05:34,170
here.

58
00:05:36,460 --> 00:05:37,940
And the protocols.

59
00:05:37,960 --> 00:05:45,490
The server is prepared to use current interest in site and it gives you a rating for how good it thinks

60
00:05:45,490 --> 00:05:46,480
the site is.

61
00:05:47,780 --> 00:05:51,600
A final point on Haiti and a privacy problem.

62
00:05:51,600 --> 00:05:59,700
Something called the server name indication as an I is an extension to teach a class by which a client

63
00:05:59,940 --> 00:06:06,450
indicates which hostname is attempting to connect to at the start of the handshake process and you can

64
00:06:06,450 --> 00:06:09,800
see that represented here within Wireshark.

65
00:06:09,810 --> 00:06:11,460
We can see the server name.

66
00:06:11,460 --> 00:06:14,130
Do we do we w Daut outlook dot com.

67
00:06:14,130 --> 00:06:21,930
This allows a server to present multiple certificates on the same IP address and TCAP port number and

68
00:06:21,930 --> 00:06:29,760
hence allow multiple secure hasty T-P s web sites or any other service over Tellez to be secured by

69
00:06:29,760 --> 00:06:36,810
the same IP address without requiring all those sites to use the same certificate the desired hostname

70
00:06:36,930 --> 00:06:39,210
as you can see here is not encrypted.

71
00:06:39,360 --> 00:06:46,410
So an eavesdropper can see which site is being requested as an I is used to implement censorship and

72
00:06:46,410 --> 00:06:53,940
block sites as Sanai means if you're using Hastey CPS eavesdroppers can see what site you are going

73
00:06:53,940 --> 00:06:54,390
to.

74
00:06:54,570 --> 00:06:58,960
But then after that the communication is scrambled or encrypted.