Exploring HTTPS and Cryptography in Python (Overview)
Have you ever wondered why it’s okay for you to send your credit card information over the Internet? You may have noticed thehttps:// on URLs in your browser, but what is it, and how does itkeep your information safe? Or perhaps you want to create a Python HTTPS application, but you’re not exactly sure what that means.
In this course, you’ll get a working knowledge of the various factors that combine to keep communications over the Internet safe. You’ll see concrete examples of how a Python HTTPS application keeps information secure.
In this course, you’ll learn how to:
- Monitor and analyzenetwork traffic
- Applycryptography to keep data safe
- Describe the core concepts ofPublic Key Infrastructure (PKI)
- Create your ownCertificate Authority
- Build aPython HTTPS application
- Identify common Python HTTPSwarnings and errors
00:00Welcome to Exploring HTTPS and Cryptography in Python.My name is Chris and I will be your guide.The ultimate goal of this course is to produce some code that allows you toissue certificates so that you can host your own internal HTTPS content. Inorder to do that,there’s a lot of things you need to learn along the way. First off,what is HTTPS and how does it work? Secondly,in order to test things over HTTPS, you’re going to need a web application,so I’ll show you how to use a little bit of Flask to do that. Third,moving into cryptography and how certificates work. Fourth, using Fernet ciphers asa symmetric cryptography mechanism to secure your content. Fifth,moving on to asymmetric cryptography. Sixth, how to actually use Python to write aCertificate Authority. Seventh,how to combine all of this into an HTTPS Flask application.
00:54And finally, looking at other ways of approaching the same problem.
00:58The code samples inside of this course were tested using Python 3.8, Flask 1.1,requests 2.23, andcryptography 2.9.Other versions should work equally well,but if you’re running into weird inconsistencies,always remember to check your versions.
01:16As this course uses outside libraries,such as Flask and Pythoncryptography,it’s expected that you have a basic understanding ofpip and virtualenvironments and be able to install these packages. Great! Let’s get started.
01:30So, what’s HTTP? HTTP is the protocol that’s used between your web browser and aserver to get content. First off, you type a URL into your browser.
01:41Your computer opens up a TCP/IP socket to the hostname. That host comes from thefirst part of the URL. If you type inexample.comit looks up the hostexample.com. HTTP traffic, by default, is on port 80,so your web browser automatically opens port80 to the server.
02:00Once a connection is established,the computer uses this connection to send an HTTP request.This request tells the server what content it’s looking for.
02:11Your browser uses the second part of the URL—in this case/kittens.html—to tell the server that it’s looking for the/kittens content.
02:20It also tells it that it was askingexample.com.It does this so that if the web server is hosting multiple domains,it knows which one you connected to. Finally,theAccept parameter tells the server what kind of content that can come back.
02:34The simplest of this is “Give me any content you have.”
02:39An HTTP request is broken down into a series of parts.The first part is the method. The example I just gave you wasGET. A common one is also aPOST.GET is used for retrieving content.
02:51POST is for sending content to the server, such as submitting a form.There are other methods as well, but we’ll skip over those for now. Secondly,the path tells the server what content to fetch. In the examplebefore, this was/kittens.html.
03:08The request should also include the HTTP version.There are multiple versions of HTTP. This is the browser telling the serverwhat version of the protocol that it wishes to speak. Most commonly,this is still version 1.1. Although version 1.0 is still around,2.0 is becoming increasingly common and 3.0 is actively supported by most ofthe popular browsers. In addition to these pieces,the HTTP request can also include additional headers.
03:36These headers give more information to the server.Some common examples areAccept, which you saw in the previous—the browser telling the server what kind of content it can take.
03:48Cookies are a way for the browser and the server to keep common content throughmultiple connections.TheCookie header is the browser telling the server that the last time theyspoke,the server asked the browser to send this information back up on the next visit.
04:04This is how cookies and state work. As I mentioned in the example,theHost is the domain name of the server for multi-domain hosting.TheUser-Agent header identifies the browser that is visiting the server.
04:17This is just text, and some browsers even allow you to fake this out.And finally, if you’re doing aPOST,you also have to include the body in the HTTP request.
04:29This is the content being sent to the server. If you’re submitting a form,this would be the key-value pairs of the fields in the form.
04:37Once the HTTP request has gone to the server,it’s now time for the server to reply back.
04:44This is an HTTP response.The two main parts of this are a status code—in this case,200, telling the browser the content was served fine—and then some information about what the content type is. Forkittens.html,it’s going to be some HTML. Attached to this, then, is the body—the body being the HTML that’s being served. Now, the kitten’s adorable,but I’ve skipped over a step. Images actually don’t come down in the first hit.
05:16So if you hitkittens.html,you would get back an HTML document. That HTML document would have references init, one of which might be an image of a kitten.
05:26The browser would then send another HTTP request for the image of the kitten, andthe server would then respond with that image. This is a multistep process.
05:37The HTTP response itself always contains the version number.This is to confirm the version of the protocol that the server is speaking.Normally this is the same version as was included by the browser in the HTTPrequest.
05:52The status code is a numeric code indicating the success or error of the call.Some ones are200, indicating it was successful,404, saying the path you asked for is not found, or500, indicatingsomething went wrong on the server-side. Just like the request,the response can include additional headers giving metadata about the response.
06:14Some common examples areContent-Encoding, indicating what kind of content thebody has and how it is encoded,Content-Length,the amount of information in the body, in bytes,Server,identifying the web server that is serving the content, andSet-Cookie.
06:33This corresponds to theCookie header in the request.This is the server requesting that the browser—the next time it connects to the server—sends up informationthat’s encoded inside of this header.
06:45This allows the server to keep state between connections. Finally,the response is no good without the body.The body is the actual content to be displayed.
06:55This is usually HTML, images, JavaScript, or CSS.
07:00So, that’s HTTP. What’s HTTPS? Well,the S is for secure. The web is used for all sorts of transactions, nowadays,that should be considered private: E-com, banking, authentication.
07:13Instead of creating a new protocol,HTTPS is just HTTP over an encrypted channel.TLS is a way of encrypting that channel. Older versions also used SSL,but for the sake of the course,I’m going to concentrate on TLS. Because TLS is used to create a genericencrypted channel, this means it can be used for all sorts of protocols,including email, IM, and VoIP.
07:39This separates the concerns between the encryption and the protocol being usedover the encryption.Let’s look at an HTTPS connection. Like before, you type in the URL,this time with thes on the end ofhttps.
07:55A socket is connected to the server. The port, notice, is different.The default port for web is 80.The default port for TLS is 443,so when you type inhttps into your browser, the browser uses port 443to connect to the server. The default nowadays,if you don’t type in the schema, is to use HTTPS in order to try and make surethat your connection is secure. Once the socket is established,TLS protocol is connected over that socket.
08:28This is the encryption channel. Within that encryption channel, HTTP is then usedto communicate to the server. This is the same as the previous example,just inside of the TLS channel. Throughout this course,I’m going to be using a command-line browser calledcurl.curl comes for free inMac, Linux, and Windows distributions now.
08:50If you’re using a slightly older version of Windows 10—before the 1803 build—you may have to go off to the web to download it,but otherwise, it’s there. In its simplest form, you typecurland the URL that you’re going to.
09:05What comes back is the content.This is my own personal website with the world’s smallest HTML document,essentially just sayingHello world!
09:15By using the-I parameter,you can look at the headers coming back from the server. In this case,HTTP […]200,content-type: text/html,and the fact that I’m using Cloudflare to front the server.
09:28This is actually how I get my HTTPS certificate—Cloudflare’s doing it for me.The-I parameter only shows the headers that come back.You can use--include, instead, to see both the headers and the content.
09:42I’m going to combine this with-v, for verbose,to see all of the details that happen with a TLS connection.
09:57and here’s a whole bunch of debug information. It connects to the server.It tells us that it wishes to speakTLS. Handshake goes back and forth with some certificate exchange.
10:08Next up, the secure connection is confirmedand a certificate comes back from the server, telling the browser who it is.The browser confirms the certificate through one of its known CertificateAuthorities and then—because it passes—establishes the connection.
10:25In this case, it’s using HTTP2 over the TLS connection.
10:31The next part is the actualGET—fromcurl to the browser—using HTTP2, asking for the/helloworld.html document.
10:41The connection state changes, and finally,the response comes back from the server using status code200 and the actualbody connected to it.
10:52And that’s everything involved in asking forhelloworld.html over HTTPS.
10:58Next up,I’m going to show you how to use Flask to build a simple web server application.
Course Contents
