HTTPS
To ensure the identity of the server to which the web clients connect and to guarantee the authenticity and integrity of the data between the server and the web clients, the use of the HTTPS[1] protocol is imperative.
The special feature of this so-called secure protocol is that it uses a data encryption layer (SSL or TLS in the latest versions).
This makes it possible to secure the transmission of data and to be certain that the data is identical from end to end of the exchange and to guard against data interception during the exchange.
On the other hand, HTTPS relies on the use of security certificates allowing the user, through the web browser, to verify the identity of the server to which it connects and to access the content only if the server is trustworthy.
This protocol used in web exchanges is gradually becoming the norm and replaces its HTTP predecessor that did not contain the encryption layer. If today web browsers display a simple warning message when HTTPS is not used, tomorrow access to the content will probably be blocked if necessary.
Digital certificates
A digital certificate is a way to verify the identity of an entity (i.e. a web server) and to guarantee its authenticity.
It contains information about the entity (Name, address, period of validity …).
It is tamper-proof (encrypted), nominative (issued to an entity) and certified (by an encrypted signature).
Typically, when a web client tries to access data on a web server, the browser checks the certificate issued by the web server before granting access to the web client.
In this case, it answers the question:
“Can we trust the web server? If the answer is no, the browser will display a warning message before displaying the content.
There are three levels of certificates that should be chosen according to the context of use.
Example of digital certificate
“Self-signed” certificate
This certificate is issued by the user himself and therefore commits only his own responsibility. It will allow a web client to access the content but, not being issued by an independent authority, the browser will display a security message.
On the other hand, private keys used for encryption and authentication are more vulnerable to a spoofing attempt in the case of a self-signed certificate as handled locally.
This type of certificate should therefore be reserved exclusively for testing or development phases on the same machine and not for access from private or public networks.
Certificate issued by a domain controller
In the case of an internal network controlled by a domain server, it is possible to create a certificate issued by the domain server.
The server and the web clients on the same network administered by the IT certificate guarantees trust within the organization.
The advantage of such a certificate compared to a “self-signed” certificate is that it will be recognized as secure by browsers and will not display an alert message. It also ensures secure management of encryption keys by the domain controller that issues it.
Certificate issued by a trusted third party
In the case where web clients are on an external network, in particular the internet, whose access is open to users who are not part of an internal organization, it will be necessary to choose a certificate issued by a certification authority (AC). CA is a trusted third party that offers the highest level of certification and control.
Domains and Name Resolutions
A station hosting a web server, like any machine in a network can be identified in different ways. By default, it is identified by its IP address or the name of the machine.
It can also be identified by a domain name that is managed by a DNS[1] server. The role of a DNS server is to do the name resolution, that is the link between the IP address of a machine and a name, on a private or public domain. Besides the fact that it is easier to enter a name rather than an IP address, the name offers the advantage of remaining identical even if the IP address of the post changes.
The use of the https protocol and associated certificates requires identification either by hostname, in a Windows private network (with DNS if non-Windows terminals are to be used), or by domain machine name, assigned by a Public DNS, in the case of a public network (without VPN). In any case, the use of the IP address or the machine name will cause the display of an alert message before accessing the content.
It is then necessary to distinguish two cases:
– Windows Internal Private Network:
In this case, only Windows machines will be able to access the server with its host name.
Access from outside, especially internet, will only be possible if a VPN is set up.
If terminals that do not run on OS Windows (smartphones and tablets Android or IoS for example) must access the server, it will need to set up a DNS.
– External public network:
In this case, the web server must be on a public domain with a name assigned by a public DNS. This will allow web clients to access the server from an external network and whatever their OS (Android, IoS …).
Check out our WEB & mobiles solutions:
https://www.pcvuesolutions.com//products-a-technology/webvue-web-client
https://www.pcvuesolutions.com//products-a-technology/touchvue-assets-based-services
https://www.pcvuesolutions.com//solutions/mobility
[1] HTTPS : Hyper Text Transfer Protocol Secured
[2] DNS : Domain Name System
Created on: 9 Dec 2019
