HTTPS and CGI

IPSR Solutions Limited

Objectives
Upon completion of this unit, you should be able to:

HTTPS Importance of SSL CGI

IPSR Solutions Limited

HTTPS
Hyper Text Transfer Protocol Secure (HTTPS) is a secure version of the HTTP. It allows secure ecommerce transactions like online banking.

HTTP over Secure Socket Layer(SSL)

SSL is a security protocol that was developed by Netscape Communications Corporation, along with RSA Data Security, Inc. The primarily goal of the SSL protocol is to provide a private channel between communicating applications, which ensures privacy of data authentication of the partners and integrity.

IPSR Solutions Limited

SSL Overview
SSL provides an alternative to the standard TCP/IP socket API that has security implemented within it. Therefore, it is possible to run any TCP/IP application in a secure way without changing the application. In practice, SSL is only widely implemented for HTTP Connections. Netscape Communications Corporation has started an intention to employ it for other applications types such as NNTP and telnet.

SSL is composed of two layers:v

At the lower layer, a protocol for transferring data using a variety of predefined cipher and authentication combinations, called the SSL Record Protocol. On the upper layer, a protocol for initial authentication and transfer of encryption keys, called the SSL Handshake Protocol.

IPSR Solutions Limited

SSL: Comparison of standard and SSL sessions

An SSL session is initiated as follows: On the client (browser), the user requests a document with a special URL that starts with https: instead of http:, either by typing it into the URL input field, or by clicking a link. The client code recognizes the SSL request and establishes a connection through TCP port 443 to the SSL code on the server. The client then initiates the SSL handshake phase, using the SSL Record Protocol as a carrier. At this point, there is no encryption or integrity checking built in to the connection.

IPSR Solutions Limited

SSL Security Issues

The SSL protocol addresses the following security issues: Privacy After the symmetric key is established in the initial handshake, the messages are encrypted using this key.

Integrity Messages contain a message authentication code (MAC) ensuring the message integrity

Authentication During the handshake, the client authenticates the server using an asymmetric or public key. It can also be based on certificates.

SSL requires that each message is encrypted and decrypted and therefore has a high performance and resource cost.

IPSR Solutions Limited

CGI (Common Gateway Interface)

The CGI or Common Gateway Interface is a set of standards that define how information is exchanged between web server and a custom script. The CGI is a standard for external gateway programs to interface with information servers such as HTTP servers HTTP Server Web Browser HTTP Protocol CGI Program

Database

IPSR Solutions Limited

Apache Configuration Changes for CGI Files

LoadModule cgi_module directive ScriptAlias directive Alternatively, use <Directory> container <Directory /var/www/cgi-bin> AllowOverride None Options ExecCGI AddHandler cgi-script .py .pl Order allow,deny Allow from all </Directory>

IPSR Solutions Limited

Sample examples

Python script (/var/www/html/hello.py) #!/usr/bin/python print Content-type:text/html\r\n\r\n print Hello World! Perl Script (/var/www/html/hello.pl) #!/usr/bin/perl print Content-type:text/html\n\n; print Hello World!;

IPSR Solutions Limited

Conclusion
Hypertext Transfer Protocol Secure (HTTPS) is a combination of Hypertext Transfer Protocol (HTTP) with the SSL/TLS protocol. It provides encrypted communication to prevent eavesdropping and to securely identify the web server with which one is actually communicating.

The main idea of HTTPS is to create a secure channel over an insecure network. This ensures reasonable protection from eavesdroppers and man-in-the-middleattacks, provided that adequate cipher suites are used and that the server certificate is verified and trusted.

The CGI specification defines a set of rules that allow programs to interact with web servers, such as Apache. CGI programs allow web developers to provide dynamic content.

General rules for CGI Scripting:v Do not trust user input, check it v Do not directly execute user input v Do not assume input is in the expected format

IPSR Solutions Limited