Thursday, July 4, 2013

How SSL, HTTPS and Certificates works in Java web applications

Basic knowledge of SSL, HTTPS and Certificates are must for any Java programmer, especially who is working in financial and security sensitive applications, which are accessed over internet. In this article, I am giving you an overview of these three key concept and How SSL, HTTPS and certificates work together, to provide secure communication between client and server. Security is major concern while developing web application, which is accessible using HTTP protocol. Since HTTP protocol transfer data in plain text format, its not safe for transferring sensitive information like username, password, social security number (SSN) or credit card details for online shopping. HTTP protocol, also doesn't guarantee that a website, you are communicating is the one who claims i.e. if URL redirection is enable than instead of genuine website you may be routed to malicious websites and HTTP can't prevent or alert you.

How SSL and HTTPS works

HTTPS and SSL address these two issue. HTTPS is HTTP over SSL and SSL stands for secure socket layer,  which provides both encryption and verification of websites. That's why almost all banks or commercial portals like travels or airline bookings, movie booking or online shopping portal uses https protocol. When data is transmitted using HTTPS protocol, they are encrypted before transmission from both client and server end, so anyone who can intercept or trap https traffic can see the data, but not in meaningful format. By the way since request is encrypted and decrypted at both ends, this does increase response time on server but provides security against eavesdropping threat. SSL also facilitate verification of website by using certificates issued by third party issuer like VeriSign, godaddy, thwate etc. You might have looked at your browser’s address bar, when you access any site using https it say something verified by VeriSign or verified by thwate etc. You can also read SSL and TLS: Designing and Building Secure Systems by Eric Rescorla to understand How SSL works and how to build secure system using SSL.  

How SSL uses Certification for Identification

How this certification works?  when client (browser) connect to Server using https, Server returns certificates issued by trusted third party issuer, if it’s Java application, it can access certs stored in its keystore and truststore, browser also has those certificate in his trusted certificate store and validates any certificate presented by server against those. If browser or any Java client, doesn't find the those certificates, it can alert you by saying certificates not recognized and recommend you not to visited the site. You can also manually trust any website and ask browser to include certificate presented by server in its trusted certificate store. This is the case with development when Tomcat returns either self-signed or test certificates. For Java programmers,  JDK comes with a keytool command, which can be used to create self signed certs and store those in keystore and truststore for use.

That’s all on this rather quick overview of SSL, HTTPS and Certifications and How they work together. Purpose of this article was to give at least basic knowledge of how client server communication occurs in secure fashion. If you are developing secure applications in Java programming language, it’s good to have some knowledge of underlying fundamental concepts of SSL, HTTPS and Certificates.


thiru_k said...

useful article

Prem Tiwari said...

Good basic explanation of SSL. Thanks Javin

Post a Comment