Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
In this video, we will discuss why and when you should ensure your data is protected against attackers with your web app’s traffic, primarily through the use of TLS.
Course: Security Literacy
New Terms
- SSL/TLS/HTTPS: Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the protocols used for securing the HTTP protocol, which makes it HTTPS.
- Certificates: SSL certificates are what web servers and clients use to prove that a site is who they say they are, and set up a secure communication channel.
Further Reading
-
SSL and TLS: A Beginners’ Guide, by Holly Lynne McKinley
-
Transport Layer Security (TLS), by O’Reilly publishing
- Stack Exchange: How does SSL/TLS work?
- SSL and SSL Certificates Explained, by Steve Cope
Related Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign upRelated Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign up
[MUSIC]
0:00
[SOUND] In this stage we're going to
talk about how to protect the data in
0:02
your web applications and various methods
to keep attackers out of your system.
0:07
As we dive into the best practices and
0:14
real-world implementations of
these security techniques,
0:17
keep in mind our discussion earlier
about having a security-focused mindset.
0:21
Everything from TLS to has been
designed to protect you and your users.
0:26
And it's up to you to implement
them in the way that works best for
0:33
your applications.
0:37
Lets discuss why you often
see websites and applications
0:38
with that green secure lock or
shield next to your web browser address.
0:43
The green lock appears when
a site implements SSL or
0:48
TLS, known as Secure Socket Layer and
Transport Layer Security.
0:53
These are two protocols for providing
data security to the HTTP protocol.
0:58
SSL is the older version,
which is no longer maintained,
1:05
with TLS replacing nearly
all implementations today.
1:09
Although it is still
often referred to as SSL,
1:13
you'll want to make sure that
you're actually implementing TLS.
1:16
SSL is no longer considered secure, and
it is not being actively maintained.
1:21
With TLS your data is protected in transit
1:27
as it travels between your browser and
the protected website.
1:31
This is extremely critical in order to
protect everything, from the credit
1:35
card transactions you process to the
simplest passwords and log in credentials.
1:41
You may also see TLS referred to as HTTPS,
1:46
where the HTTP is the default
security level of a site.
1:51
Without TLS any information
you enter on a website,
1:55
including a password,
can be clearly read or
2:00
even altered by someone in the path
between you and that website.
2:04
For more information on these man-in-the
middle attacks see the teacher's notes.
2:10
In general, the process works as follows.
2:15
When you browse to a site,
before you actually load the page,
2:18
the server and your browser communicate
and share something called a certificate.
2:22
The browser will verify that
the server's certificate is valid.
2:28
Once it has been verified the browser and
the server set up a cryptographic
2:33
mechanism using complex
mathematics to create a secure and
2:38
tamper-resistant channel to
send data back and forth.
2:43
Now your browser and the website's
server can send any kind of data they
2:47
want back and forth and not risk
attackers seeing it or stealing it.
2:52
If you don't implement TLS for your
applications, when you process any kind
2:57
of user data, you're not only compromising
the safety and security of your
3:02
trusted users, but you may also be
breaking the law in your country.
3:07
Even worse,
you're exposing the data to criminals
3:13
who may use that data to destroy the lives
of users who put their trust in you.
3:16
Furthermore, most web search
engines will even rank you
3:22
higher if you have HTTPS on your site.
3:27
So why not implement it?
3:32
Now let's check out a few
sites that implement TLS.
3:34
If we look in the top-left of the browser,
after going to Facebook's site,
3:39
we see that they have HTTPS implemented.
3:43
Not only do we see HTTPS,
3:47
we also see something that says
Secure with a lock in Chrome.
3:49
We would see something similar in Safari
or Firefox, or any other modern browser.
3:55
Taking Facebook as an example, we can
either enter our personal information
4:01
to sign up on the homepage or
we can log in to an existing account.
4:06
Either way,
4:14
we'll be passing Facebook sensitive data
that authenticates us with their service.
4:15
As you can see from the first five seconds
of using this site, we already want
4:21
Facebook to be encrypting our data as it
goes from our browser to their back end.
4:26
Otherwise, even someone sitting in
a coffee shop on the same public network
4:32
can steal your personal information and
password.
4:37
Let's check out Etsy We're probably
here to browse or buy something.
4:41
If we're buying something, we're going to
have to enter our personal information.
5:01
This includes a shipping address.
5:14
Maybe I'm not as concerned
about a shipping address.
5:27
Maybe I'm shipping this to work.
5:30
But once I have to put in
credit card information,
5:32
I definitely want to
know that this is safe.
5:35
Etsy also has this Secure with the lock
in the upper left-hand corner.
5:37
If it did not, and we put our card
information in here, someone doesn't even
5:43
have to be on our computer to steal our
credentials and drain our bank account.
5:48
That's very scary.
5:53
And that's exactly we need
technologies like TLS.
5:54
To sum it up, TLS is critical
to protecting your user's data.
5:59
And if you process any data whatsoever,
even just logging information,
6:04
you need to have TLS implemented.
6:10
In the next video we will discuss some of
the means of actually implementing TLS and
6:13
show you how easy it is to actually do.
6:18
In the mean time,
if you want to learn more in depth details
6:22
about these technologies, check out
the SANS Beginners Guide to SSL and
6:25
TLS, and O'Reilly's Guide to TLS,
6:30
which are both linked in the teacher's
notes along with other great resources.
6:33
You need to sign up for Treehouse in order to download course files.
Sign upYou need to sign up for Treehouse in order to set up Workspace
Sign up