Encrypting communication

Most of the applications nowadays offer secure communication by default. Such protocols as SSH, SSL (HTTPS) offer encryption and secure communication. Protocols such as Telnet or HTTP are not secure. If that data is intercepted, and a bank or e-commerce web site did not use encryption, than bad think may happen. A person who retrieved banking or checkout information may be able to use it to his or her advantage without you giving that person a permission of doing so. What information should be passed secretly? A few actually: passwords, banking, credit cards as examples. You may secure only certain parts of the website. Why not choose secure communication? Because encrypting and decrypting communication will use more processing resources. As a user you don’t notice that, but as a person who maintains hardware you will see higher CPU usage. Why not to encrypt everything? It will simplify the environment and will make the maintainer of the technology sleep better. Not only that person will sleep better, but the business people will sleep better at night because they are ultimately responsible for the implementation of the technology.

Please don’t invent your own way to encrypt the data. It may have flaws. Technological solutions such SSL and SSH have many eyes that look at these. But if it is a security solution that was developed “in house” have a few people that developed it and looked at it.

YouTube link

Study Guide: Secure Communication in Applications

Key Concepts:


Secure Communication: Methods of transmitting data that protect its confidentiality and integrity from unauthorized access.

Encryption: The process of converting information (plaintext) into an unreadable format (ciphertext) to prevent unauthorized access.

Decryption: The process of converting ciphertext back into its original plaintext form.

Protocols: A set of rules and procedures that govern how data is transmitted and received.

Resource Utilization: The consumption of system resources such as CPU processing power and memory.

Implementation: The process of putting a technological solution into practice.

Security Vulnerabilities: Weaknesses in a system or protocol that can be exploited to compromise its security.

Quiz:


Name two common protocols that offer secure communication by default.

Provide three examples of the type of information that should be transmitted secretly.

Why might a developer choose not to secure all parts of a website or application?

What is a potential drawback of using encryption and decryption for all communication?

According to the source, what is a benefit of encrypting all communication for those responsible for technology?

Besides the technology maintainer, who else benefits from secure communication implementation for business reasons?

What is the primary recommendation given regarding the development of data encryption methods?

Why is it generally discouraged to create your own encryption methods?

What advantage do established security solutions like SSL and SSH have over in-house developed ones?

What is the fundamental purpose of secure communication protocols?

Answer Key:


Two common protocols that offer secure communication by default are SSH (Secure Shell) and SSL (Secure Sockets Layer), often seen as HTTPS.

Examples of information that should be passed secretly include passwords, banking details, and credit card numbers.

A developer might choose not to secure all parts of a website or application because encrypting and decrypting communication uses more processing resources.

A potential drawback of encrypting all communication is higher CPU usage for the hardware maintaining the technology.

Encrypting all communication can simplify the environment and provide greater peace of mind for the maintainer of the technology.

Business people ultimately responsible for the technology also benefit from secure communication implementation because they are accountable for its security.

The primary recommendation is to avoid inventing your own way to encrypt data due to potential flaws.

Creating your own encryption methods is generally discouraged because they may have undiscovered security vulnerabilities.

Established security solutions like SSL and SSH have the advantage of being extensively reviewed and tested by many experts, reducing the likelihood of flaws.

The fundamental purpose of secure communication protocols is to ensure the confidentiality and integrity of transmitted data, protecting it from unauthorized access.

Essay Format Questions:


Discuss the trade-offs involved in deciding whether or not to implement secure communication for all aspects of an application. Consider both the benefits and the drawbacks from different perspectives (user, developer, business owner).

Explain the importance of relying on well-established and widely reviewed security protocols like SSL and SSH. What are the potential risks associated with developing and implementing custom encryption methods?

From a business perspective, analyze the benefits of investing in and prioritizing secure communication in modern applications. Consider factors such as customer trust, reputation, and regulatory compliance.

Compare and contrast the security implications of using protocols like HTTP and Telnet versus protocols like HTTPS and SSH. Provide specific examples of vulnerabilities associated with the insecure protocols.

Imagine a scenario where a company is considering building its own encryption algorithm. Develop arguments both for and against this approach, drawing upon the information provided in the source material.

Glossary of Key Terms:


SSH (Secure Shell): A cryptographic network protocol for operating network services securely over an unsecured network. Typically used for remote command-line access.

SSL (Secure Sockets Layer): A standard security technology for establishing an encrypted link between a web server and a browser, ensuring that all data passed between them remains private and integral. Often referred to as TLS (Transport Layer Security), its successor.

HTTPS (Hypertext Transfer Protocol Secure): A secure version of HTTP, the protocol over which data is sent between your browser and the websites that you are connected to. It uses SSL/TLS for encryption.

HTTP (Hypertext Transfer Protocol): The underlying protocol used by the World Wide Web. It is not inherently secure.

Telnet: A network protocol used to access a remote computer over a TCP/IP network. It transmits data in unencrypted plaintext, making it insecure.

Encryption: The process of encoding data so that it is unreadable without the correct key.

Decryption: The process of decoding encrypted data back into its original, readable form.

Protocol: A set of rules governing the exchange or transmission of data between devices.

CPU Usage: The percentage of a computer's processing power that is being utilized at a given time.

Security Vulnerability: A weakness or flaw in a system or application that can be exploited to compromise its security.

In-house Development: The creation of software or systems by an organization's own employees, rather than outsourcing.

Frequently Asked Questions about Secure Communication

Q1: Why is secure communication important for modern applications?


A: Secure communication protocols like SSH and SSL/HTTPS are crucial because they provide encryption, protecting sensitive information transmitted between users and applications. This is essential for safeguarding data such as passwords, banking details, and credit card numbers from unauthorized access and potential cyber threats. By default, many modern applications now implement these secure protocols to ensure user privacy and data integrity.


Q2: What are some examples of protocols that are considered insecure for transmitting sensitive data?


A: Protocols like Telnet and HTTP are inherently insecure because they transmit data in plain text. This means that if an attacker intercepts the communication, they can easily read the information being exchanged, including potentially sensitive credentials and personal details. Therefore, these protocols should be avoided when transmitting confidential data.


Q3: Is it necessary to secure every single part of an application or website?


A: While it's ideal to secure all communication, it's sometimes practical to secure only specific parts of an application or website that handle sensitive information. For example, sections involving login forms, payment processing, or personal data management should always be protected with secure protocols. However, encrypting all communication comes with a trade-off in terms of processing resources.


Q4: What are the performance implications of using secure communication protocols?


A: Implementing encryption and decryption, which are fundamental to secure communication protocols, requires additional processing resources (CPU usage) on the server. While end-users typically do not notice this overhead, those responsible for maintaining the underlying hardware will observe higher resource consumption. This is a key consideration when deciding the extent to which secure communication is implemented.


Q5: Given the resource overhead, why not just encrypt everything to simplify security?


A: Encrypting all communication, while potentially increasing server load, offers significant advantages in terms of security and operational simplicity. It reduces the complexity of managing which parts of an application need protection and provides a more consistent security posture. This can lead to greater peace of mind for both technology maintainers and business stakeholders who are ultimately responsible for data security.


Q6: What is the critical advice regarding the development and implementation of encryption methods?


A: It is strongly advised against developing proprietary or "in-house" encryption algorithms. Such custom solutions are highly likely to contain security vulnerabilities that may not be immediately apparent. Established and widely vetted technologies like SSL/TLS and SSH have been subjected to extensive scrutiny by security experts, making them far more robust and reliable.


Q7: If a custom security solution is unavoidable, what precautions should be taken?


A: In the rare instances where a custom security solution is deemed necessary, it is absolutely crucial to involve multiple experienced developers and security professionals in its design, development, and thorough review. This helps to identify potential flaws and weaknesses before deployment, minimizing the risk of security breaches.


Q8: Who ultimately benefits from and is responsible for the implementation of secure communication?


A: While individual users benefit from the privacy and security afforded by secure communication, the responsibility for its implementation ultimately falls on the business and the individuals maintaining the technology infrastructure. Business stakeholders have a vested interest in protecting their data and maintaining customer trust, while technology teams are responsible for deploying and managing the secure systems that enable this protection.


Comments

Post a Comment

Popular posts from this blog

Absolute and relative path in HTML pages

HTML documents can have relative or absolute links to other web pages. Relative links keeps a visitor on the same web site. Relative links are pointers to other web pages on the same web site. They just contain this page filename. Absolute links on other hand contain full path including protocol and domain name to access the page. Absolute links can point to the same web site or they can point to a different web site.
Read more

Errors

It is a good idea to send errors in production environment to error log. Errors may contain sensitive information. Even so errors maybe helpful to development team or to QA team, errors need to be suppressed in production environment for viewing by everyone. Errors are good way to troubleshoot an issue therefore only trusted people can have access to this information. If not a trusted person get an access to this information, this information maybe used against the company and for a personal benefit. What to do in a case when there are more servers than one? Even so it is possible to inspect the log files in a single server, however it is impossible to do so when there is more than one server is available and web traffic is redirected to a different server each time. Log aggregation is needed in this case. All of the logs will be send to a central location. Logs may contain sensitive information. Please consult your company lawyer of how long logs can be stored, because logs can be use...
Read more

goto PHP operator

goto operator will skip execution of code and continue execution of a code that follows a label to which goto operator points to. If code has many goto operators, than this code probably needs a revision. It is possible to write code that executes without goto operators.
Read more