HTTP is not Secure

HTTP Request Attack

• Passive Attacker
• Active Attacker

GOAL: Secure Communication

• Secure communication requires three properties
  • Privacy: No eavesdropping
  • Integrity: No tampering
  • Authentication: No impersonation

Transport Layer Security (TLS)

• Hypertext Transfer Protocol Secure (HTTPS) keeps browsing safe by securely connecting the browser with the website server
• HTTPS relies on Transport Layer Security (TLS) encryption to secure connections
• TLS is used with web traffic, email, instant messaging, voice over IP (VoIP), and many other protocols
  • When TLS is used with HTTP, we call it HTTPS

Anonymous Diffie-Hellman key exchange

• Problem: Client doesn’t know with which server it performed key exchange

How do we get authentication?

• Goal: If the client could authenticate the server it is performing key exchange with, then it could securely derive a shared key with that (and only that) server
• Solution: Use public-key cryptography for authentication