What is HSTS?
HSTS – HTTP Strict Transport Security is a security policy mechanism that helps websites against man-in-the-middle attacks such as protocol downgrade attacks (HTTP) and cookie hijacking.
Key Features of HSTS:
- Strict-Transport-Security Header: The server includes the
Strict-Transport-Securityheader in its response to HTTPS requests. This header contains directives that control the behavior of HSTS. - Directives:
- max-age: Specifies the duration (in seconds) for which the browser should remember that the site is only accessible via HTTPS.
- includeSubDomains: Optional; if present, this directive applies the HSTS policy to all subdomains of the current domain.
- preload: Optional; indicates that the site can be included in browsers’ preloaded HSTS lists. This requires submitting the site to the HSTS preload list maintained by browser vendors.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadHow the web works?
- User Request:
- Action: A user enters a URL in their web browser or clicks on a link.
- Example: Typing “www.example.com” into a browser.
- DNS Lookup:
- Action: The browser contacts a DNS (Domain Name System) server to translate the human-readable URL into an IP address.
- Example: “www.example.com” might translate to “93.184.216.34”.
- HTTP Request:
- Action: The browser sends an HTTP request to the server at the IP address.
- Components: This request includes the method (GET, POST), headers (user agent, cookies), and sometimes a body (data).
- Server Response:
- Action: The server processes the request and sends back an HTTP response.
- Components: The response includes a status code (200 OK, 404 Not Found), headers, and a body (HTML, CSS, JavaScript).
- Rendering:
- Action: The browser takes the response and renders the webpage.
- Process: It interprets HTML to structure the page, CSS for styling, and JavaScript for interactivity.
- User Interaction:
- Action: Users interact with the webpage, potentially sending more requests (e.g., clicking links, submitting forms).
- Example: Clicking a “Read More” link sends another request to the server.
Diagram: How the Web Works
+------------------+ +------------------+ +------------------+
| User's Device | | DNS Server | | Web Server |
| (Web Browser) | | | | |
+--------+---------+ +--------+---------+ +--------+---------+
| | |
| 1. Enter URL | |
+------------------------->| |
| | |
| | 2. DNS Lookup |
| +-------------------------> |
| | |
| | |
| | 3. IP Address |
| |<-------------------------+|
| | |
| | |
| 4. HTTP Request | |
+----------------------------------------------------->|
| | |
| | |
| | 5. HTTP Response |
|<-----------------------------------------------------+
| | |
| | |
| 6. Render Webpage | |
+--------------------------+ |
| | |
+--------------------------+ |
| User Interaction +--------------------------+
+-------------------------->|
Key Components:
- User’s Device (Web Browser): The starting point where the user initiates a web request.
- DNS Server: Translates domain names into IP addresses.
- Web Server: Hosts the website and responds to HTTP requests.
Browser and Rendering Engines
While we may observe over a dozen web browsers in existence, it’s important to note that there are only a handful of rendering engines actively in use today. The most notable ones are:
- Blink — used by Google Chrome, Microsoft Edge, Opera, Electron-based desktop apps such as Slack, VS Code, etc. It was forked by WebKit
- Gecko (-moz-) – used by Mozilla Firefox
- WebKit (-webkit-) — used by Apple Safari
Steps of browser rendering:
- Parsing HTML – The HTML code is parsed and the Document Object Model (DOM) is constructed which represents the structure of the content.
- Parsing CSS – The CSS file is loaded and parsed to create the CSS Object Model (CSSOM) to define the styling of the page.
- Render Tree – By combining the DOM and CSSOM, the Render Tree is created including how elements should be displayed and their position with styles.
- Layout Flow – The browser calculates the layout of the page and determines the size and position of the elements of the page based on Render tree.
- Painting – The final and most crucial step of the browser engine is converting the visual representation of the Render Tree into actual pixels on the screen. This includes traversing the Render Tree and applying the calculated values pixel-by-pixel on to the screen.
Web Servers: NGIX & APACHE
Nginx
Overview:
- Nginx (pronounced “engine-x”) is a high-performance web server and reverse proxy server known for its stability, rich feature set, simple configuration, and low resource consumption.
Key Features:
- High Performance: Efficient handling of concurrent connections, making it ideal for high-traffic websites.
- Reverse Proxy: Balances load among multiple servers, provides caching, and handles SSL/TLS termination.
- Event-Driven Architecture: Uses an asynchronous, non-blocking model which allows handling many requests simultaneously with minimal resources.
- Static Content: Efficiently serves static content such as images, CSS, and JavaScript files.
- Configuration: Simple and flexible configuration files, typically located in
/etc/nginx/
Apache
Overview:
- Apache HTTP Server is one of the oldest and most widely used web servers. Known for its robustness, flexibility, and extensive documentation, it remains a popular choice for many web hosting needs.
Key Features:
- Module-Based Architecture: Highly customizable through dynamic modules that extend its core functionality, such as mod_rewrite for URL manipulation and mod_ssl for SSL/TLS support.
- Multi-Processing Modules (MPMs): Allows selection of different connection handling strategies (e.g., prefork, worker, event) to optimize performance based on use case.
- .htaccess Files: Allows per-directory configuration, enabling users to make configuration changes without modifying the main server configuration file.
- Platform Independence: Runs on various operating systems, including Unix-based systems, Windows, and macOS.
- Configuration: Extensive configuration options typically located in
/etc/httpd/or/etc/apache2/.
Comparison: Apache vs Nginx
- Performance: Nginx generally offers better performance, especially for high-traffic sites and static content.
- Configuration: Nginx configuration is simpler and more readable, whereas Apache offers more granular control through .htaccess files and dynamic modules.
- Resource Usage: Nginx uses fewer resources and handles concurrent connections more efficiently, making it better suited for high-load environments.
- Flexibility: Apache is highly flexible and extensible, making it a good choice for complex configurations and legacy applications.
Emails: What’s SMTP, POP, IMAP???
What is the difference between IMAP and SMTP?
IMAP is for the retrieval of emails and SMTP is for the sending of emails. That means IMAP talks to both the client and server to get emails, and SMTP talks only to servers to send emails.
What is SMTP?
SMTP stands for Simple Mail Transfer Protocol and it’s the industry standard protocol for email sending. With SMTP you are sending, relaying, or forwarding messages from a mail client (like Microsoft Outlook) to a receiving email server. A sender will use an SMTP server to carry out the process of transmitting an email message.
What is IMAP?
Simply put, IMAP (Internet Access Message Protocol) is an email protocol that deals with managing and retrieving email messages from the receiving server.
Since IMAP deals with message retrieval, you will not be able to use the IMAP protocol to send email. Instead, IMAP will be used for receiving messages.
What is POP3?
In addition to IMAP, there’s also another protocol for receiving email — it’s called POP3. POP stands for Post Office Protocol.
And the number three stands for “version 3,” which is the latest version and the most widely used — hence the term “POP3.”
POP3 vs IMAP
POP3 downloads the email from a server to a single computer, then deletes the email from the server.
On the other hand, IMAP stores the message on a server and synchronizes the message across multiple devices.
To Summarize:
- SMTP is the industry standard protocol for sending email. If you’re looking to send email, then you’ll use SMTP instead of IMAP. An SMTP relay service can help you send email without having to build your own SMTP server.
- IMAP is one of the most common protocols for receiving email. IMAP syncs messages across all devices.
- POP3 is another protocol for receiving email on a single device. Using POP3 means that your email will be accessible offline and deleted from the server.
openssl_digest vs hash vs hash_hmac?
| Feature | openssl_digest | hash | hash_hmac |
|---|---|---|---|
| Library | OpenSSL | PHP Hash Extension | PHP Hash Extension |
| Usage | Cryptographic purposes with OpenSSL | General-purpose hashing | Keyed hashing for message integrity |
| Keyed Hashing | No | No | Yes |
| Algorithm Support | Many algorithms supported by OpenSSL | Wide range of algorithms | Wide range of algorithms |
| Flexibility | Less flexible, tied to OpenSSL | More flexible and comprehensive | Specifically for HMAC (keyed) hashing |
| Typical Use Case | When using OpenSSL for cryptography | General data hashing | Ensuring data integrity and authenticity |
Conclusion
openssl_digest: Use when you are already working with OpenSSL and need a cryptographic digest.hash: Use for general-purpose hashing, offering a broad range of algorithms and flexibility.hash_hmac: Use for situations requiring message authentication and integrity through a keyed hash.
What Is A Rainbow Table?
Generically, a rainbow table is nothing more than a time-storage trade-off. Instead of recomputing a function every time you want to attack it, a rainbow table is generated by pre-computing a large number of input permutations to that function. Then, given a result, it should be easy to look-up the result in a table to determine which input(s) generate it. That way, you can effectively reverse a non-reversible function…
Great Article discussing this in detail
What Is A Salt?
A salt is a unique value added to passwords before hashing to ensure that identical passwords produce different hash outputs. This uniqueness prevents attackers from using precomputed tables (like rainbow tables) to crack passwords, as each hash is distinct even if the original passwords are the same. While salts do not need to be cryptographically random, they must be unique to each password to effectively protect against hash collisions and enhance security.
What A Salt Is Not?
It’s important to note that a salt is not a cryptographic secret. In symmetric key cryptography, the security of a good algorithm is directly dependent upon the secrecy of the key. If the key is leaked, the algorithm provides absolutely no security. Therefore, the key is a cryptographic secret.
What Is A Pepper?
A pepper, similar to a salt, is a site-wide secret value added to passwords for additional security. Unlike salts, peppers are not stored with the passwords, making them harder for attackers to guess.
Flaws of Using a Pepper in Password Hashing
- Lack of Proven Security Benefits:
- No documentation or academic papers from security experts confirm that peppers enhance security.
- Absence of recommendations from standard-setting bodies like RFCs.
- No Publicly Vetted Algorithms:
- Approved hashing algorithms (e.g., PBKDF2) do not support peppers.
- Modifying secure algorithms to include a pepper can compromise security.
- Alternative Approaches:
- Cryptographic secrets like block ciphers (e.g., AES) are designed for security based on secrets and are publicly vetted.
- Encrypting hashes with a cipher provides a stronger, proven security layer.
- Flawed Premise of Added Security:
- Peppers aim to protect against password database leaks.
- In reality, leaks often result from severe vulnerabilities (e.g., privilege escalation) allowing attackers to access all application secrets, including the pepper.
Thank you for reading…
~ Leaveitblank (Mayank Tripathi)