 We're going to look at how HTTPS works. So before we do that, let's look at a brief example of why HTTPS is not good for web security. When you use normal HTTP, then the problem is that others can see your data. So I'll show a simple example of that before we see how HTTPS works. In the setup, we have this virtual network with three nodes to get started, and node one is going to be our web browser, and it's connected to a router at node two, and three is our web server. There's a web server running with some fake website for this demonstration, we'll see. And at node two, which is a router connecting the two nodes, I'm going to be, say, the malicious user and intercept. Let's say there's a malicious user on node two, we're going to see, well, what can they observe when the web browser is accessing the web server? Very simple case. When we request a web page and it sends back the response, we'll see what node two sees. Note that in this simple network, there's one router, but in the internet, the malicious user could be anyone between node one and node three, the browser and server. Anyone along the path. So there's a web server running on node two, we won't look at that. We will look at node, sorry, running on node three. Node two will be our router and will intercept some traffic. How am I going to intercept traffic? How would our malicious user on node two intercept the traffic sent between node one and node three? What software could they use? What's the name of the software that we could use to intercept the traffic, to get a copy of the traffic? Wireshark and on the command line, because I don't have a GUI here, I would use TCP dump. So, yes, there's different software available, Wireshark does it, but here I only have the command line, so I'll use TCP dump, and TCP dump just records all the packets coming in and out of this computer. And I've created the command before, it's a bit complex to get a nice output, so you don't need to remember, but the TCP dump command is going to record all the packets, and it's not going to show all of them on the screen, because I don't want to show all the irrelevant ones, it's just going to show the HTTP request and response, report 80, and other options to say ignore the SIN packets and so on. So I'm going to run TCP dump, and it's going to sit and run, we'll zoom in when we need to, and then I'm going to run the web browser on node one. What software will I use? Web browser, WGET I could use, not a very nice web browser if I want to click on some links though. Anything else? And remember, a text-based web browser, you'll need it for your upcoming homework, links is one, so again I don't have a GUI on this node, so I can't use Firefox or another graphical browser, so I've got a very simple one called links. And the web server is running a web application, it uses PHP, it has a database or some data, and it's a web server for showing the grades of students. The domain name is www.myuni.edu, and the grading system is under grades directory. So links is the web browser, I'm going to visit that, and it takes me to this page, and let's just see on our capture, what do we just capture, because I just visited a web page. I opened up my browser and visited a particular link, there's a lot of details here, but some of the things you may recognize, it shows us the TCP packet, this is the HTTP GET request, so the first packet we see in the capture is my browser sending a GET request to the server, and the GET request says get the slash grades slash file, and it provides a set of options, the options indicate the host, what language we accept and other options, so this is what we see in the capture, and the next packet here is the response, the server sends back everything's okay, some header fields, and in the response, if we scroll down, we see the actual HTML is sent, so this is what our malicious user has seen so far, it's seen me requesting the grades URL, and so the web page coming back, the HTML asking me to log in, we'll come back to that as we visit some pages, so this grade systems allows me to log in, so click log in, and it prompts me for a password, username and password, I remember one username, actually we'll start with this one, username's just an ID number, and the password, don't look what I type, okay there's one security technique, when I type it doesn't show the letters that I type, it shows stars, how long is my password, there are seven stars there, so that's one thing with password entry, you see some systems, they won't show what you type, now if they show a star here, one problem with this approach is that if someone sees this, they know at least my password is seven characters, so that may reveal something to them, maybe it be better if it didn't show anything at all, and if you create or change your password on a Linux command line you'll see that happen, you're typing something in but there's no feedback at all, and that doesn't reveal anything about the length of the password to the user, to someone who observes, so there's a security feature in how it gives the feedback, I type in the password and then I'm going to click on the login link, let's just zoom out of our, we're still capturing, we'll look at the capture in a moment, we click on the login link, do I want to allow cookies, yes, takes a bit of time, a very slow website, and then it takes me welcome user five with nine zeros, you can now view your grades, and if we see in our capture the router, the malicious user sees the welcome page, what else are they going to see up here, what did node two see, and we'll try and find it in a moment, well what do you expect to see in the capture, node two is a malicious user, they've captured packets between browser and server, what are they going to see, which is a valuable to node two, let's scroll up and see if we recognize anything, so this is the last packet, so we'll go up to the previous packets, where do we get to, this was the login page, so that was the original login page, this was, so this was the request sent by my browser, note that it's using a post method in HTTP, HTTP we commonly use the get method to get a web page from the server, but sometimes we send data to the web server using a form for example, so that often uses the post method, you can use the get method, but post is generally better, which we send data to the web server and that data is included inside the HTTP header fields, sorry in the data after the header fields, can anyone recognize that valuable data, these are header fields, we keep going down to content type, content length, this is the data, this is the data of the request, it shows us the values of the fields that I typed in on that login page, I typed in my username, I typed in my password which you didn't see and then I hit the submit button or login button and those values are sent to the web server and that's how the post is used here, they're sent to the web server, they're sent in this HTTP get request in the clear, so if you capture this packet you see the user's password and that's the problem, many login, well that's a major problem with using HTTP, whenever someone logs in, they send their password to the server and it's not encrypted, anyone between the browser and the server, if they can intercept, they can see the password and steal your logins to your different websites, so they can see the password and of course they can see other information that may be confidential, all the web pages that come back, returning to the grading website, this user is logged in, now they want to view their grades, they want to view the grades for maybe what course, ITS 335, they don't want anyone else to know what their grade is, all right, they're a good student, they got a B plus, again if we look at the capture, what was captured by node 2, all of that web page, so the person who intercepts knows this confidential information that they got a B plus for example, so we can't use HTTP if we want to transfer confidential information across the internet for web browsing, so we use HTTPS.