The World Wide Web puts a graphical face on the Internet. You access it via a web browser, connecting with HTTP or HTTPS. The latter offers security.
- Ah, the World Wide Web. I can't tell you how many times I've gone up to a user's system who says, "the internet is down" and it's just cause their web browser is messed up. Then I tell them, "Oh, the internet is working just fine. "In fact, your connection to the internet "is working just fine. "You're just having a problem with the web browser." The World Wide Web has certainly become the predominate way that most of us look at the internet. Now, the World Wide Web is always going to manifest as some kind of web browser, and these names have become famous with names like Chrome, and Firefox, and Edge , and Safari. These web clients are on every operating system, and most operating systems have multiple choices when it comes to these types of tools. Now, the protocol that's running underneath it is either going to be HTTP which runs on Port 80, or HTTP Secure, HTTPS, which runs on Port 443. So if you're going to be making connections, you're going to have outbound on Port 80, if it's insecure, or if it's secure you're going to be going outbound on Port 443. And when I say secure, traditional HTTP is wide open, it's in the clear, anybody could intercept it and read anything that you're doing. So, first, let's start with going a little bit old school and we're going to connect to an insecure website. So, I've got my Chrome web browser up here, and if you look very carefully you'll see it says HTTPs and there's a little lock, which telling me this is a secure web connection. So what I want to do is connect to an unsecured web connection. So, first of all, this machine itself is actually running a web server. So I could type http://127.0.0.1 which is my loop back, which means connect to myself, and all the sudden I get this pop-up. So I'm actually running a web server on this computer. So if we type netstat-n you're going to see, now I need you to look really carefully here, there's two connections. One connection is my computer connecting to the server, do you see that? And this connection here is the server connecting to my computer. Let's go ahead and do one more insecure connection, and I'm going to type in something called neverssl.com This website is actually intentionally left insecure. Now you'll see what happens here. First of all, the browser says "This is not secure." I can click on information here and it's telling me that I'm running HTTP, so it's pretty clear. Now, I'm going to run netstat again, and now this time you see I've got two different 80 connections. This is my connection that I had to myself, but here's this other connection. Do you see this? This right here is my connection to neverssl.com. Http with port 80 might be fine for configuring a router that you're directly connected to or something like that, but it is something we never do when you're on the real internet. What we do is we do everything with https running port 443. The trick to understanding https is that it encrypts everything. And if you are watching my episode talking about telnet and ssh, when we made that ssh connection, the first thing the server did was hand me down a key. Now that key will encrypt everything. That's fine when I'm running ssh, because I know the ssh server, I set it up myself, or at least my buddy Bob did, or whatever, and I trust them. The problem is, when you're on the web, you're going to a lot of anonymous web pages, and when you go to www.stuffiwanttobuybutidonttrusthiswebsite.com and it passes you down a key, you want somebody else to sign off on that key and say "yes, "this key is a good, safe key," and there are companies with names like Verisign, and Comodo, and Thawte, and all they do is sign off on keys creating what we call a certificate. So certificates are the keys that allow us to encrypt a connection, that are signed by a third party saying they are good. Now, certificates have tons of information in them. They're going to have a key, they're going to have date they were issued, there going to have a serial number from the authorizing body, they're going to have the name of the exact website that they're going to be connecting to. There's lots of information in there. And if any of these things go wrong, you've got a problem. And as a user you need to be able to recognize these problems and make a decision about what you want to do. Now, you got to be careful here because the methodology by which we encrypt https is known as either Secure Sockets Layer, or Transport Layer Security. It's called SSL or TLS, so a lot of times when we're talking about security on web pages, we'll use the term SSL. I know, it sounds like ssh, doesn't it? Two totally different animals, okay? So be comfortable with that. So what we're going to do is lets take a look at some bad certificates. Luckily, we've got a really convenient website, that gives examples of these, so we can look at them and know what we want to do. So we're going to go to a website called badssl.com. This is a wonderful place, and if you're an instructor you need to check this out because it gives great examples of all kinds of bad certificates. One of the most problem child we have is an expired certificate. Now, how this is going to pop-up depends on the web browser. In this particular one, I'm using Chrome, and this is how it's going to show up. Now, whenever you get some type of problem like this the browser is going to show you, probably in red or something, that there's a problem. But then what it's going to do is it's going to give you some kind of information that says what's wrong with the certificate. In this case, the date is invalid, which probably means it's expired. Expired certificates happen. People forget to renew their certificates, and even some of the most important websites on Earth have been known from time to time to let a certificate expire. It happens. So when you see an expired certificate, you've got to make a call right now. Are you going to stop and go as they say "back to safety" or are you like "Wait a minute, wait a minute, "I know these guys." Maybe it's an in-house webpage or something like that. Lets just go ahead and do it. So all of these browsers will give you some way to ignore the certificate problem and then go in. So on this one, it's under advanced, and there we see an option that says "Proceed" and its unsafe. And, we're in. So that's one example. Lets take a look a little bit scarier example. So I'm going to come back to badssl, and another one that makes me really nervous is a revoked certificate. Once again, every web browser, now they're all different, this is how Chrome does it, but they're always going to give you some kind of information to let you know what's going on. A revoked certificate is a bad thing. This basically means either somebody has been caught doing something naughty or they refuse to pay for a certificate and its been literally yanked from them by the issuing body. If I see something like that, I am definitely not going to proceed any further. Thank you elders of the internet for creating certificate hierarchies that allow us to be able to know what's safe and what's not safe. Let me show you another one that's not nearly as scary though. This time we're going to click on a self-signed certificate. All right, a self-signed certificate is going to give you some kind of information. In this case, it says authority invalid. Lets say we've got a little in-house web page, okay, and we have a certificate on there because we want to keep it encrypted, but the only people who are connecting to this are employees or people in a particular department, so we don't want to spend the money to have a full blown certificate. In this particular case, I'm going to be looking at who I'm connecting to and if it's my, you know, localwebsite.totalsim.com then I'm just going to go ahead and go through and I'll accept that because I know that it's my in-house. Cool, and I'm on a self-signed website. The most important take away from all this is that certificates are often taken away for some reason or another. Every web browser out there is going to pop-up some kind of warning, but it's really up to you to read it, understand the situation and make your own call as to whether you proceed or run away. (upbeat music)
This Total Seminars course covers the exam certification topics. For information on additional study resources—including practice tests, lab simulations, books, and discounted exam vouchers—visit totalsem.com/linkedin. LinkedIn Learning members receive special pricing.
This course was created by Total Seminars. We are pleased to offer this training in our library.
We are a CompTIA Partner. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.