HTTPS - Hypertext Transfer Protocol Secure ============================================= .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is HTTPS?** HTTPS stands for Hypertext Transfer Protocol Secure. It is the secure version of HTTP, used for safe communication over the internet. HTTPS encrypts the data exchanged between your browser and a website using SSL/TLS, protecting it from eavesdropping and tampering. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is HTTPS useful?** * **Encrypts data** – Protects sensitive information like passwords, credit card numbers, and personal details. * **Authenticates websites** – Ensures you're connecting to the real website, not a fake one. * **Builds trust** – Browsers show a padlock icon for HTTPS sites, signaling safety. * **Enables modern web features** – Required for things like geolocation, service workers, and secure cookies. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** * **Browser connects to a website** – It requests a secure connection using HTTPS. * **TLS handshake happens** – The server presents a digital certificate, and both sides agree on encryption keys. * **Secure session starts** – All data exchanged is encrypted. * **Data is sent and received** – Just like HTTP, but now it's protected from spying or tampering. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is HTTPS used?** * **Banking and e-commerce** – To protect financial transactions. * **Login pages** – To secure usernames and passwords. * **Email and messaging apps** – For private communication. * **Any modern website** – HTTPS is now the standard for all secure web traffic. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why OSI Layer: Application Layer (Layer 7)?** * HTTPS builds on HTTP, which is an application-level protocol. * It delivers secure web services directly to users and applications. * The encryption (TLS) occurs below at the Presentation Layer, but HTTPS itself operates at Layer 7. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`Protocol Details ` * :ref:`HTTPS Version&RFC Details ` * :ref:`HTTPS Basic Setup on Ubuntu using IPv4 ` * :ref:`Use case curl with HTTPS ` * :ref:`Use case wget with HTTPS ` * :ref:`HTTPS Basic Setup on Ubuntu using IPv6 ` * :ref:`Setup custom webserver on ubuntu ` * :ref:`Configure custom webserver details on ubuntu machine using certificates ` * :ref:`Decrypting HTTPS traffic in wireshark using curl ` * :ref:`Meaning of cert filenames ` * :ref:`HTTPS Protocol Packet Details ` * :ref:`HTTPS Usecases ` * :ref:`HTTPS Basic Features ` * :ref:`HTTPS Feature : Encryption ` * :ref:`HTTPS Feature : Data Integrity ` * :ref:`HTTPS Feature : Authentication ` * :ref:`HTTPS Feature : SecurePort(443) ` * :ref:`HTTPS Feature : Certificate Based Trust ` * :ref:`HTTPS Feature : Protection Against MITM Attack ` * :ref:`HTTPS Feature : SEO and Browser Preference ` * :ref:`HTTPS Feature : Forward Secrecy ` * :ref:`HTTPS Feature : Compatiblity with HTTP ` * :ref:`HTTPS Feature : Required for Modern Features ` * :ref:`Reference links ` .. _HTTPS_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _HTTPS_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _HTTPS_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _HTTPS_step32: .. tab-set:: .. tab-item:: Protocol Details .. csv-table:: :file: ./HTTPS/protocol.csv :widths: 20,20,25,25,20,10,25,25,1 .. _HTTPS_step5: .. tab-set:: .. tab-item:: HTTPS Version&RFC Details .. csv-table:: :file: ./HTTPS/HTTPS_rfcdetails.csv :widths: 10,10,10,30 :header-rows: 1 .. _HTTPS_step19: .. tab-set:: .. tab-item:: HTTPS Basic Setup on Ubuntu using IPv4 * setup .. _HTTPS_step24: .. tab-set:: .. tab-item:: Use case curl with HTTPS .. code-block:: shell test:~$ curl https://c-pointers.com * Expected output:The HTML source code of the webpage hosted at https://c-pointers.com * Step-1 : wireshark captures * client side :download:`Download capture ` * Step-2 : screenshots * client side .. image:: HTTPS/wireshark_screenshots/curl_https_client.png :width: 2000 .. _HTTPS_step25: .. tab-set:: .. tab-item:: Use case wget with HTTPS .. code-block:: shell test:~$ wget https://c-pointers.com * Expected output:The HTML content of the webpage at https://c-pointers.com * Step-1 : wireshark captures * client side :download:`Download capture ` * Step-2 : screenshots * client side .. image:: HTTPS/wireshark_screenshots/wget_https_client.png :width: 2000 .. _HTTPS_step29: .. tab-set:: .. tab-item:: Setup custom webserver on ubuntu * Step-1: Install Apache Web Server .. code-block:: shell test:~$ sudo apt update test:~$ sudo apt install apache2 -y * Step-2: Adjust the Firewall 1.Check available apache UFW profiles: .. code-block:: shell test:~$ sudo ufw app list Available applications: Apache Apache Full Apache Secure 2.You want to allow both http and https,so Apache Full is a good choice. .. code-block:: shell test:~$ sudo ufw allow 'Apache Full' * Step-3: Verify apache service .. code-block:: shell test:~$ sudo systemctl start apache2 test:~$ sudo systemctl enable apache2 test:~$ sudo systemctl status apache2 * Step-4: Test your Webserver * Open your webserver and navigate to your server's IP address like http://10.91.239.125 * To check in terminal also .. code-block:: shell test:~$ curl -v http://10.91.239.125 * You should see the default apache ubuntu page.This confirms that apache is installed and running correctly. .. note:: * 10.91.239.125 is the your's server IP address of Ubuntu Machine. * Step-5: Lets create your own domain.com 1. Create a directory for your domain: .. code-block:: shell test:~$ sudo mkdir -p /var/www/myuniqueproxy.com/html .. note:: * myuniqueproxy.com is my own domain.com.You can replace with this your's actual domain.com. 2. Create a sample index.html file .. code-block:: shell test:~$ sudo nano /var/www/myuniqueproxy.com/html/index.html Welcome to myuniqueproxy.com domain

Hello from my own web server!

This page is hosted on Apache running on Ubuntu.

* Save the file (Ctrl+O, Enter, Ctrl+X). .. note:: * You want to add some more context.You can add in index.html file. * Step-6: Set Proper permissions .. code-block:: shell test:~$ sudo chown -R www-data:www-data /var/www/myuniqueproxy.com/html test:~$ sudo chmod -R 755 /var/www/myuniqueproxy.com * Step-7: Enable SSL module and default SSL site .. code-block:: shell test:~$ sudo a2enmod ssl test:~$ sudo a2ensite default-ssl test:~$ sudo systemctl reload apache2 * Step-8: Generate a Self-Signed SSL Certificate 1.Create a directory to store your certificate .. code-block:: shell test:~$ sudo mkdir -p /etc/apache2/ssl 2.Now generate the certificate and private key .. code-block:: shell test:~$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache-selfsigned.key -out /etc/apache2/ssl/apache-selfsigned.crt .. note:: * You will be prompted to enter values like country, state, etc.Common name section you enter your server IP address.These will appear in your certificate. * Step-9: Configure Apache to Use Your Certificate * Edit the default SSL site: .. code-block:: shell test:~$ sudo nano /etc/apache2/sites-available/default-ssl.conf ServerAdmin webmaster@localhost DocumentRoot /var/www/myuniqueproxy.com/html # ServerName is optional for IP-based access # ServerName your-domain.com ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # SSL Configuration SSLEngine on SSLProtocol -all +TLSV1.2 SSLCipherSuite RSA+AESGCM SSLCertificateFile /etc/apache2/ssl/apache-selfsigned.crt SSLCertificateKeyFile /etc/apache2/ssl/apache-selfsigned.key SSLOptions +StdEnvVars SSLOptions +StdEnvVars # Optional security headers Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff Header always set X-XSS-Protection "1; mode=block" # Optional SSL settings (hardened) SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite HIGH:!aNULL:!MD5 SSLHonorCipherOrder on * Save and exit (Ctrl+O, Enter, then Ctrl+X). .. note:: * SSLProtocol -all +TLSV1.2 ,SSLCipherSuite RSA+AESGCM these two lines are support for TLSV1.2 protocol. * If you comment these two lines then it support for TLSV1.3 protocol. * Step-10: Restart Apache .. code-block:: shell test:~$ sudo systemctl restart apache2 * Step-11: Test Your Server * Open a browser and go to: * https://10.91.239.125 .. note:: * You’ll see a warning that the certificate is not trusted — this is expected with a self-signed certificate. You can proceed anyway. * After you observe the your index.html page. * 10.91.239.125 is the server IP address .. _HTTPS_step30: .. tab-set:: .. tab-item:: Configure custom webserver details on ubuntu machine using certificates * Step -1 : obtain the custom webserver's certificate .. code-block:: shell test:~$ echo | openssl s_client -showcerts -connect 10.91.239.125:443 * This will show you the certificate chain the custom webserver is presenting.copy the certificate from the output (the blocking starting with ----begin certificate----and ending with ---END CERTIFICATE---). * save it to a file,e.g., ownwebserver.crt * step-2 : ADD the custom webserver certificate to trusted CA store 1.copy the custom webserver certificate to /usr/local/share/ca-certificates/ .. code-block:: shell test:~$ sudo cp ownwebserver.crt /usr/local/share/ca-certificates/ 2.update the certificate store .. code-block:: shell test:~$ sudo update-ca-certificates * this will add the custom webserver's self-signed certificate to the list of trusted certificates. .. _HTTPS_step28: .. tab-set:: .. tab-item:: Decrypting HTTPS traffic in wireshark using curl .. note:: * 10.91.239.125 is the IP address of custom webserver. 1.Set SSLKEYLOGFILE Environment Variable * Set this environment variable to capture the session keys. .. code-block:: shell test:~$ export SSLKEYLOGFILE=~/noproxy_sslkeys.log .. note:: * This tells supported TLS libraries to log pre-master secrets into that file. * This only works if the TLS library used by curl supports it (like OpenSSL with debug support or NSS). 2.RUN the curl command .. code-block:: shell test:~$ curl -v https://10.91.239.125 3.Start a Wireshark capture - Open Wireshark. - Select the network interface that your traffic goes through (e.g., eth0, wlan0). - Apply a capture filter if you want, or just start the capture. - Run your curl command while capturing is active. .. code-block:: shell test:~$ curl -v https://10.91.239.125 4.Configure Wireshark to use the SSL key log - Go to Edit > Preferences > Protocols > TLS. - Find the field for: - (Pre)-Master-Secret log filename - Set it to the path of your sslkeys.log file, e.g.,/home/user/noproxy_sslkeys.log - Click OK. - Then,Wireshark will use the session keys to decrypt HTTPS traffic. 5.View decrypted traffic - You should now see decrypted HTTP requests and responses in plain text! :download:`Download capture ` :download:`Download sslkeylogfile ` .. _HTTPS_step31: .. tab-set:: .. tab-item:: Meaning of cert filenames .. csv-table:: :file: ./HTTPS/meaning_of_filenames.csv :widths: 20,40,60 .. _HTTPS_step20: .. tab-set:: .. tab-item:: HTTPS Basic Setup on Ubuntu using IPv6 * setup .. _HTTPS_step6: .. tab-set:: .. tab-item:: HTTPS Protocol Packet Details **HTTPS Request Packet** .. csv-table:: :file: ./HTTPS/HTTPS_packetdetails1.csv :widths: 10,20,30,10 :header-rows: 1 **HTTPS Response Packet** .. csv-table:: :file: ./HTTPS/HTTPS_packetdetails2.csv :widths: 10,20,30,10 :header-rows: 1 .. _HTTPS_step7: .. tab-set:: .. tab-item:: HTTPS Usecases .. csv-table:: :file: ./HTTPS/HTTPS_usecases.csv :widths: 10,20,30 :header-rows: 1 .. _HTTPS_step8: .. tab-set:: .. tab-item:: HTTPS Basic Features .. csv-table:: :file: ./HTTPS/HTTPS_basicfeatures.csv :widths: 10,10,30 :header-rows: 1 .. _HTTPS_step9: .. tab-set:: .. tab-item:: HTTPS Feature : Encryption **Encryption - Testcases** .. csv-table:: :file: ./HTTPS/HTTPS_feature1_Encryption.csv :widths: 10,10,30,20 :header-rows: 1 .. _HTTPS_step10: .. tab-set:: .. tab-item:: HTTPS Feature : Data Integrity **Data Integrity - Testcases** .. csv-table:: :file: ./HTTPS/HTTPS_feature2_Data_Integrity.csv :widths: 10,10,30,20 :header-rows: 1 .. _HTTPS_step11: .. tab-set:: .. tab-item:: HTTPS Feature : Authentication **Authentication - Testcases** .. csv-table:: :file: ./HTTPS/HTTPS_feature3_Authentication.csv :widths: 10,10,30,20 :header-rows: 1 .. _HTTPS_step12: .. tab-set:: .. tab-item:: HTTPS Feature : SecurePort(443) **SecurePort(443) - Testcases** .. csv-table:: :file: ./HTTPS/HTTPS_feature4_SecurePort_443.csv :widths: 10,10,30,20 :header-rows: 1 .. _HTTPS_step13: .. tab-set:: .. tab-item:: HTTPS Feature : Certificate Based Trust **Certificate Based Trust - Testcases** .. csv-table:: :file: ./HTTPS/HTTPS_feature5_Certificate_Based_Trust.csv :widths: 10,10,30,20 :header-rows: 1 .. _HTTPS_step14: .. tab-set:: .. tab-item:: HTTPS Feature : Protection Against MITM Attack **Protection Against MITM Attack - Testcases** .. csv-table:: :file: ./HTTPS/HTTPS_feature6_Protection_Against_MITM_Attack.csv :widths: 10,10,30,20 :header-rows: 1 .. _HTTPS_step15: .. tab-set:: .. tab-item:: HTTPS Feature : SEO and Browser Preference **SEO and Browser Preference - Testcases** .. csv-table:: :file: ./HTTPS/HTTPS_feature7_SEO_and_Browser_Preference.csv :widths: 10,10,30,20 :header-rows: 1 .. _HTTPS_step16: .. tab-set:: .. tab-item:: HTTPS Feature : Forward Secrecy **Forward Secrecy - Testcases** .. csv-table:: :file: ./HTTPS/HTTPS_feature8_Forward_Secrecy.csv :widths: 10,10,30,20 :header-rows: 1 .. _HTTPS_step17: .. tab-set:: .. tab-item:: HTTPS Feature : Compatiblity with HTTP **Compatiblity with HTTP - Testcases** .. csv-table:: :file: ./HTTPS/HTTPS_feature9_Compatiblity_with_HTTP.csv :widths: 10,10,30,20 :header-rows: 1 .. _HTTPS_step21: .. tab-set:: .. tab-item:: HTTPS Feature : Required for Modern Features **Required for Modern Features - Testcases** .. csv-table:: :file: ./HTTPS/HTTPS_feature10_Required_for_Modern_Features.csv :widths: 10,10,30,20 :header-rows: 1 .. _HTTPS_step18: .. tab-set:: .. tab-item:: Reference links * Reference links