URLs

Question 1

URL vs URI

Answer 1

a URI is “sequence of characters that identifies an abstract or physical resource”. URL is asubsetof URI that includes the network location of the resource.

Question 2

What is the URL scheme?

Answer 2

When looking at URL Components, we described the component that prepends the colon and two forward slashes at the start of a URL as thescheme. The scheme describes the protocol family being used. (eg HTTP)

Question 3

What are the required components of an HTTP request?

Answer 3

The HTTP method, path, & HTTP version are required and make up the request-line. TheHostheader is a required component since HTTP 1.1.The Host request header specifies the host and port number of the server to which the request is being sent.

Question 4

What are the required components of an HTTP response? What are the additional optional components?

Answer 4

status line with a status code is required. Headers and body are optional.

Question 5

What determines whether a request should useGETorPOSTas its HTTP method?

Answer 5

GETrequests should only retrieve content from the server. POSTrequests involve changing values that are stored on the server. Most HTML forms that submit their values to the server will usePOST Search forms are a noticeable exception to this rule: they often useGETsince they are not changing any data on the server, only viewing it.

Question 6

What does the path portion of a URL represent in a modern server architecture?

Answer 6

In the early days of the Web, the path portion of a URL represented a physical file location on the Web server.

However, with modern server-side and client-side frameworks the path portion of the URL is used is determined by the application logic, and doesn’t necessarily bear any relationship to an underlying file structure on the server.

Question 7

What are the URL components

Answer 7

URL components include thescheme,host(or hostname),port,path, andquery string.

Question 8

What are query strings?

Answer 8

Query stringsare used topass additional datato the server during an HTTP Request. They take the form ofname/value pairsseparated by an=sign. Multiple name/value pairs are separated by an&sign. The start of the query string is indicated by a?.

Question 9

What is URL encoding?

Answer 9

URL encodingis a technique wherebycertain charactersin a URL arereplaced with an ASCII code.
URL encoding is used if a character has no corresponding character in the ASCII set, is unsafe because it is used for encoding other characters, or is reserved for special use within the url.

Question 10

What makes up an HTTP message exchange?

Answer 10

A single HTTP message exchange consists of aRequestand aResponse. The exchange generally takes place between aClientand aServer. The client sends a Request to the server and the server sends back a Response.

Question 11

What makes up an HTTP request?

Answer 11

AnHTTP Requestconsists of arequest line(method, HTTP version, path) headers (including host), and an optionalbody.

Question 12

What makes up an HTTP response?

Answer 12

AnHTTP Responseconsists of astatus line, optionalheaders, and an optionalbody.

Question 13

What are HTTP status codes

Answer 13

Status codesare part of the status line in a Response. They indicate the status of the request. There are various categories of status code.

Question 14

What does it mean that HTTP is stateless?

Answer 14

This means that each Request/ Response cycle is independent of Request and Responses that came before or those that come after.H

Question 15

How can statefulness be simulated?

Answer 15

Statefulness can be simulatedthrough techniques which usesession IDs,cookies, andAJAX.

Question 16

How can we make HTTP more secure?

Answer 16

HTTP isinherently unsecure. Security can be increased by usingHTTPS, enforcingSame-origin policy, and using techniques to preventSession HijackingandCross-site Scripting.

Question 17

Why is HTTP not secure?

Answer 17

Hypertext Transfer Protocol (HTTP) is not secure because it sends data between web browsers and servers in plain text, which can be read by anyone with access to the network traffic

Question 18

What are the three important security services provided by TLS?

Answer 18

Encryption:a process of encoding a message so that it can only be read by those with an authorized means of decoding the message

Authentication:a process to verify the identity of a particular party in the message exchange

Integrity:a process to detect whether a message has been interfered with or faked

Question 19

Do you need to provide all the services provided by TLS when using it?

Answer 19

While not mandated, all three services are generally used together to provide the most secure connection possible.

Question 20

How does TLS set up a secure channel?

Answer 20

using a TLS handshake

Question 21

How does the TLS handshake work?

Answer 21

1. The TLS Handshake begins with aClientHello. It contains a list of cipher suits and TLS protocol versions the client can use.
2. On receiving theClientHellomessage, the server sends aServerHello, which sets the protocol version and Cipher Suite As part of this message the server also sends its certificate (which contains its public key), and aServerHelloDone.
3. Once the client has received theServerHelloDonemarker, it will initiate the key exchange process.
4. The server also sends a message withChangeCipherSpecandFinishedflags. The client and server can now begin secure communication using the symmetric key.

Question 22

What is symmetric key encryption

Answer 22

Symmetric Key Encryption: a system whereby sender and receiver share a common encryption key used to encrypt and decrypt messages.

Question 23

What is asymmetric key encryption?

Answer 23

Asymmetric Key Encryption: a system which uses apairof keys: apublickey, and aprivatekey.The keys in the pair are non-identical: the public key is used to encrypt and the private key to decrypt.

Question 24

The TLS handshake is used to:…

Answer 24

• Agree which version of TLS to be used in establishing a secure connection.
• Agree on the various algorithms that will be included in the cipher suite.
• Enable the exchange of symmetric keys that will be used for message encryption.

Question 25

What is a cipher suite?

Answer 25

TLS uses different ciphers for different aspects of establishing and maintaining a secure connection. The algorithms for performing each of these tasks, when combined, form the cipher suite.

Question 26

How is a cipher suite agreed on between client and server?

Answer 26

As part of the ClientHello message, the client sends a list of algorithms it supports for each required task, and the server chooses from these according to which algorithms it also supports.

Question 27

What process does TLS use to authenticate a server?

Answer 27

- The server sends its certificate, which includes its *public* key. - The server creates a 'signature' in the form of some data encrypted with the server's *private* key. - The signature is transmitted in a message along with the original data from which the signature was created. - On receipt of the message, the client decrypts the signature using the server's public key and compares the decrypted data to the original version. - If the two versions match then the encrypted version could only have been created by a party in possession of the private key.

Question 28

What are Certificate Authorities?

Answer 28

Certificate Authorities (CAs) issue the digital certificates that verify servers are who they say they are.

Question 29

What happens when a CA issues a certificate?

Answer 29

1. Verifies that the party requesting the certificate is who they say they are. In the case of a domain validated server certificate, for example, it can involve proving that you own the domain by uploading a specific file to a server that is accessible by the domain for which the certificate is being issued. 2. Digitally signs the certificate being issued. This is often done by encrypting some data with the CA's own private key and using this encrypted data as a 'signature'. The unencrypted version of the data is also added to the certificate. In order to verify that the certificate was issued by the CA, the signature can be decrypted using the CA's public key and checked for a match against the unencrypted version.

Question 30

Where does TLS operate?

Answer 30

When thinking about TLS it can be useful to think of it as operating between HTTP and TCP. Or between the application and transport layers.

Question 31

What is a TLS MAC?

Answer 31

TLS includes a Message Authentication Code (MAC) as part of its metadata to add a layer of security by providing a means of checking that the message hasn't been altered or tampered with in transit.

Question 32

How is the TLS MAC used to provide message integrity?

Answer 32

1. The sender will create what's called a *digest* of the data payload. This is effectively a small amount of data derived from the actual data that will be sent. The digest is created using a specific hashing algorithm combined with a pre-agreed hash value. This hashing algorithm to be used and hash value will have been agreed as part of the TLS Handshake process when the Cipher Suite is negotiated. 2. The sender will then encrypt the data payload using the symmetric key (as described earlier in the Encryption section), encapsulate it into a TLS record, and pass this record down to the Transport layer to be sent to the other party. 3. Upon receipt of the message, the receiver will decrypt the data payload using the symmetric key. The receiver will then also create a digest of the payload using the same algorithm and hash value. If the digest created by the receiver matches the digest received in the MAC field, this confirms the integrity of the message.

Question 33

How is TLS integrity implemented?

Answer 33

TLS Integrity is implemented through the use of a Message Authentication Code (MAC).

Question 34

When is the server certificate sent?

Answer 34

the server's certificate is sent during the TLS Handshake process.

Question 35

What is the TLS handshake?

Answer 35

The TLS Handshake is the process by which a client and a server exchange encryption keys.

Question 36

What encryption architecture does TLS use?

Answer 36

TLS encryption uses a combination of Symmetric Key Encryption and Asymmetric Key Encryption. Encryption of the initial key exchange is performed asymmetrically, and subsequent communications are symmetrically encrypted.

Question 37

How does TLS handshake affect performance?

Answer 37

The TLS Handshake must be performed before secure data exchange can begin; it involves several round-trips of latency and therefore has an impact on performance.

Question 38

What is a cipher suite?

Answer 38

A cipher suite is the agreed set of algorithms used by the client and server during the secure message exchange.

Question 39

What does TLS authentication mean?

Answer 39

TLS authentication is a means of verifying the identity of a participant in a message exchange.

Question 40

how is TLS authentication implemented

Answer 40

TLS Authentication is implemented through the use of Digital Certificates.

Question 41

who verifies server certificates?

Answer 41

Certificates are signed by a Certificate Authority, and work on the basis of a Chain of Trust which leads to one of a small group of highly trusted Root CAs.

Question 42

What is TLS integrity?

Answer 42

TLS Integrity provides a means of checking whether a message has been altered or interfered with in transit.

Question 43

How is TLS integrity implemented?

Answer 43

TLS Integrity is implemented through the use of a Message Authentication Code (MAC).

Question 44

What are the 4 major layers of the OSI Model?

Answer 44

1. physical 2. data link 3. network 4. transport

Question 45

What are the goals and components of the physical layer?

Answer 45

1. Goal: transporting Bits 2. Components, fiber optic, wire, wifi, etc.

Question 46

What are the goals, addressing system and components of the data link layer?

Answer 46

1. Goal: Interact with the physical layer, put bits onto it and read bits off of it. 1. ie Hop to Hop, get bits from one NIC to the next NIC. Often a message needs to take multiple hops (from one router to the next) to get to its destination. Layer 2 is responsible for these jumps. 2. Addressing system: MAC addresses 3. Components: Network interface card, wifi card, switches

Question 47

What are the goals, addressing system and components of the network layer?

Answer 47

1. Goal: end to end delivery. 2. Addressing system: IP addressing 3. Components: Routers, hosts (anything with an IP address

Question 48

What are the goals, addressing system and components of the transport layer?

Answer 48

1. Goal: service to service communication 1. Distinguishing data streams to make sure the right data goes to the right program. 2. Addressing system: TCP/UDP Ports 1. servers listen at pre-defined ports corresponding to the process they are running (ie TCP is port 80). Clients select a random port for each connection where they will listen for the response.