Difference between revisions of "HTTPS"

Latest revision as of 18:21, 29 December 2021

HyperText Transfer Protocol Secure (also known as HTTP + SSL and Secure Hypertext Transfer Protocol; commonly abbreviated https) is a Transport-layer security mechanism, most commonly implementing SSL or TSL encryption mechanisms.

Resources

• CA Security -- The London Protocol: https://casecurity.org/2018/06/27/the-london-protocol/^[1][2]
• generate_uaa_keypair.sh: https://gist.github.com/bijukunjummen/cd8db7b93b1cf347c3e87bb74d718ce2
• Code to disable SSL certificate checking for any new instances of HttpsUrlConnection: https://gist.github.com/aembleton/889392^[3][4]
• Unable to connect to SSL services due to "PKIX Path Building Failed" error: https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html | SRC (SSL Poke^[5][6] test class & instructions)

Tutorials

• Configuring your server to provide HTTPS using Let's Encrypt and Nginx: https://medium.com/hackernoon/configuring-your-server-to-provide-https-using-lets-encrypt-and-nginx-e46a5ae93e41
• How to View SSL Certificate Details in Each Browser and What You Can Learn: https://www.globalsign.com/en/blog/how-to-view-ssl-certificate-details
• HTTPS Is Not Just TLS: https://lukasa.co.uk/2014/09/HTTPS_Is_Not_Just_TLS/
• The HTTP Series (Part 5) -- Security: https://dzone.com/articles/the-http-series-part-5-security
• Testing for SSL renegotiation: https://blog.ivanristic.com/2009/12/testing-for-ssl-renegotiation.html (SSL renegotation is a DDOS vulnerability)
• Tips for Securing SSL Renegotiation: https://securingtomorrow.mcafee.com/technical-how-to/tips-securing-ssl-renegotiation/^[7]
• Apache Web Service -- Best Practice - 301 Redirect HTTP to HTTPS (Standard Domain): https://stackoverflow.com/questions/29029049/best-practice-301-redirect-http-to-https-standard-domain
• How to redirect HTTP requests to HTTPS by using IIS URL Rewrite: https://port135.com/redirect-http-requests-to-https-by-using-iis-url-rewrite/

• An HTTPS client and HTTPS server demo in Java: https://www.pixelstech.net/article/1445603357-A-HTTPS-client-and-HTTPS-server-demo-in-Java
• Android’s HTTP(S) Clients: https://android-developers.googleblog.com/2011/09/androids-http-clients.html^[8]
• Security with HTTPS and SSL: https://developer.android.com/training/articles/security-ssl.html#java
• How to use java.net.URLConnection to fire and handle HTTP requests?: https://stackoverflow.com/questions/2793150/how-to-use-java-net-urlconnection-to-fire-and-handle-http-requests/32781880#32781880
• Subsequent HTTPS POST request in Java with cookies retained: https://stackoverflow.com/questions/32591295/subsequent-https-post-request-in-java-with-cookies-retained/32592521#32592521
• Apache HttpClient 4.1 - Proxy Settings: https://stackoverflow.com/questions/4955644/apache-httpclient-4-1-proxy-settings
• Connecting Through Proxy Servers in Core Java: https://www.baeldung.com/java-connect-via-proxy-server

^{[9] [10] [11] [12] [13] [14]}

• How to get HTTPS working on your local development environment in 5 minutes: https://medium.freecodecamp.org/how-to-get-https-working-on-your-local-development-environment-in-5-minutes-7af615770eec
• Heroku Dev center - Creating a Self-Signed SSL Certificate: https://devcenter.heroku.com/articles/ssl-certificate-self
• Self-Signed, Trusted Certificates for Node.js & Express.js: https://www.kevinleary.net/self-signed-trusted-certificates-node-js-express-js/^[15]
• Quick & Easy HTTPS For Local Development (when you need to simulate LoadBalancer/Proxy): https://blog.codeship.com/quick-easy-https-for-local-development/
• HTTPS security best practices: https://advancedweb.hu/2018/08/21/https_security/
• X.509 client certificates with Spring Security: https://blog.codecentric.de/en/2018/08/x-509-client-certificates-with-spring-security/
• A simple post-HTTP-to-HTTPS SEO checklist: https://www.hashemian.com/blog/2017/09/simple-post-http-to-https-seo-checklist.htm

• The Java Developer’s Guide to SSL Certificates: https://medium.com/@codebyamir/the-java-developers-guide-to-ssl-certificates-b78142b3a0fc
• Installing Trusted Certificates into a Java Keystore: https://blogs.oracle.com/jtc/installing-trusted-certificates-into-a-java-keystore
• How to add certificate chain to keystore?: https://stackoverflow.com/questions/16062072/how-to-add-certificate-chain-to-keystore
• Java HTTPS to a server with a self-signed certificate: https://www.artificialworlds.net/blog/2015/12/07/java-https-to-a-server-with-a-self-signed-certificate/
• Oracle guide to Creating, Exporting, and Importing SSL Certificates: https://docs.oracle.com/cd/E54932_01/doc.705/e54936/cssg_create_ssl_cert.htm#CSVSG178

^{[16] [17] [18] [19] [20] [21] [22] [23] [24]}

• How to Configure SSL Certificate in Apache Web Server: https://www.itsmarttricks.com/how-to-configure-ssl-certificate-in-apache-web-server/

External Links

• wikipedia: HTTP Secure
• wikipedia: Secure Hypertext Transfer Protocol
• A Basic Understanding of Web Protocols -- HTTP and HTTPS: https://dzone.com/articles/easy-understanding-of-web-protocols-http-and-https
• Why HTTPS matters: https://web.dev/why-https-matters/
• Moving to HTTPS from HTTP -- How And Why You Need To Migrate: https://dzone.com/articles/safer-web-practices-with-https-website-https-from
• HTTPS crypto-shame -- TV Licensing website pulled offline: https://www.theregister.co.uk/2018/09/06/tv_licensing_https_fail/
• Let's Encrypt is Not a Really, Really, Really Bad Idea!: https://www.defenseagainstthedarkarts.com/lets-encrypt-is-not-a-really-really-really-bad-idea/
• Is it safe to use SSL SNI in production?: https://blog.layershift.com/sni-ssl-production-ready/
• How Firefox's HTTPS-only mode solves the first insecure request problem: https://advancedweb.hu/how-firefoxs-https-only-mode-solves-the-first-insecure-request-problem/
• DigiCert SSL Certificate Prices: How Much Does a DigiCert SSL Certificate Cost?: https://www.rapidsslonline.com/ssl/digicert-ssl-certificate-prices/
• 95% of HTTPS servers (could be) vulnerable to trivial MITM attacks: https://news.netcraft.com/archives/2016/03/17/95-of-https-servers-vulnerable-to-trivial-mitm-attacks.html
• DST Root CA X3 Expiration (September 2021): https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

References

1. ↑ RESEARCH PAPER –RELATIVE INCIDENCE OF PHISHING AMONG DV, OV, AND EV ENCRYPTED WEBSITES: https://casecurity.org/wp-content/uploads/2017/09/Incidence-of-Phishing-Among-DV-OV-and-EV-Websites-9-13-2017-short-ve....pdf
2. ↑ Digicert Withdraws from the CA Security Council: https://news.ycombinator.com/item?id=17438022
3. ↑ Way to Ignore SSL certificate using HttpsURLConnection: https://stackoverflow.com/questions/33084855/way-to-ignore-ssl-certificate-using-httpsurlconnection
4. ↑ Skip SSL HostName Verification Java HttpsURLConnection: pankajmalhotra.com/Skip-SSL-HostName-Verification-Java-HttpsURLConnection
5. ↑ Use SSL Poke to test Java SSL connection: https://matthewdavis111.com/java/poke-ssl-test-java-certs/
6. ↑ Connecting to SSL services: https://confluence.atlassian.com/jira/connecting-to-ssl-services-117455.html
7. ↑ TLS computational DoS mitigation: https://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation
8. ↑ Possible switch from Apache Http Client to HttpUrlConnection: https://github.com/android-async-http/android-async-http/issues/75
9. ↑ How to resolve error message java.io.IOException Unable to tunnel through proxy. Proxy returns "HTTP/1.1 400 Invalid URI" by explicitly pointing to your system's proxy (particularly useful on corporate connections often stuck behind Proxy/Firewall): https://stackoverflow.com/questions/52713258/java-io-ioexception-unable-to-tunnel-through-proxy-proxy-returns-http-1-1-400
10. ↑ How to fix java.io.IOException: Unable to tunnel through proxy. Proxy returns “HTTP/1.1 400 Bad Request”?: https://stackoverflow.com/questions/59520223/how-to-fix-java-io-ioexception-unable-to-tunnel-through-proxy-proxy-returns-h
11. ↑ Unable to connect to Production / Developement Server from Eclipse IDE: https://developer.salesforce.com/forums/?id=906F00000009CXGIA2
12. ↑ Unable to tunnel through proxy. Proxy returns “HTTP/1.1 407” via https: https://stackoverflow.com/questions/41505219/unable-to-tunnel-through-proxy-proxy-returns-http-1-1-407-via-https
13. ↑ IO Exception: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required": https://github.com/jeremylong/DependencyCheck/issues/718
14. ↑ Basic authentication fails for outgoing proxy in Java 8u111: https://confluence.atlassian.com/kb/basic-authentication-fails-for-outgoing-proxy-in-java-8u111-909643110.html
15. ↑ Securing your localhost for NodeJS Dev environments: https://blog.praveen.science/securing-your-localhost/
16. ↑ Accept server's self-signed ssl certificate in Java client: https://stackoverflow.com/questions/2893819/accept-servers-self-signed-ssl-certificate-in-java-client
17. ↑ Unit/Integration Testing HTTPS in Java with a self-signed certificate: https://blog.arkey.fr/2017/10/19/self-signed-certificates-in-java.en/
18. ↑ Import a certificate to the Java Keystore: https://docs.plm.automation.siemens.com/content/polarion/19.1/help/en_US/polarion_windows_installation/manually_updating_third_party_software/import_a_certificate_to_the_java_keystore.html (including how to remove using keytool -delete -alias mykey -keystore %JAVA_HOME%\lib\security\cacerts -storepass changeit)
19. ↑ Configure a Java HTTP Client to Accept Self-Signed Certificates: https://kb.novaordis.com/index.php/Configure_a_Java_HTTP_Client_to_Accept_Self-Signed_Certificates
20. ↑ To Delete a Certificate by Using keytool: https://docs.oracle.com/cd/E19798-01/821-1751/ghleq/index.html
21. ↑ Convert P7B to PFX with OpenSSL: https://www.lisenet.com/2014/convert-p7b-to-pfx-with-openssl/
22. ↑ How to tell Maven to disregard SSL errors (and trusting all certs)?: https://stackoverflow.com/questions/21252800/how-to-tell-maven-to-disregard-ssl-errors-and-trusting-all-certs
23. ↑ Error Importing SSL certificate - Not an X.509 Certificate: https://stackoverflow.com/questions/9889669/error-importing-ssl-certificate-not-an-x-509-certificate/22028156#22028156
24. ↑ When I will get HTTP 504 error using java HttpUrlConnection Class: https://stackoverflow.com/questions/21776176/when-i-will-get-http-504-error-using-java-httpurlconnection-class

See Also

HTTP | SSL | TLS | Security | SEO