Join us and get access to thousands of tutorials and a community of expert Pythonistas.
This lesson is for members only.Join us and get access to thousands of tutorials and a community of expert Pythonistas.
Exploring HTTPS and Cryptography in Python (Summary)
In this course, you’ve learned some of the core underpinnings ofsecure communications on the Internet today. Now that you understand these building blocks, you’ll become a better and more secure developer.
Throughout this course, you’ve gained an understanding of several topics:
- Cryptography
- HTTPS and TLS
- Public Key Infrastructure
- Certificates
Here are resources for more information on the topics discussed in this course:
- Python Cryptography: Read the Docs
- OpenSSL: Cryptography and SSL/TLS Toolkit
- History of cryptography - Wikipedia
- TLS: Transport Layer Security - Wikipedia
- RSA: (Rivest–Shamir–Adleman) Cryptosystem - Wikipedia
- Modular Arithmetic - Wikipedia
- How does RSA work? - Hackernoon
- Socket Programming in Python - Real Python article
- Running Your Flask Application Over HTTPS - Miguel Grinberg
00:00Thanks for sticking with me this far! This course has talked about HTTPS,I showed you how to build a simple Flask server, the basics behind cryptography,how to strengthen your server using Fernet ciphers,why asymmetric key exchange and public and private keys are important,how to write code in Python to be a Certificate Authority, using the certificatesgenerated by your Certificate Authority to host a Flask server using HTTPS,and now, I’m going to talk about a couple of simpler ways of generating thosecertificates and provide you with some further reading.
00:36This course has taught the long way around as to how to get certificates.I did that in the hope that you’d have a better understanding of how the piecesfit together. In real life, if you need one of these certificates,there’s usually ways around it. First off, if you’re developing in Flaskit has an'adhoc' mode. Inside of your code,instead of setting thessl_context to be the public and private keys,you can set it to the keyword'adhoc'. Flask will start the server, it’ll listen onHTTPS correctly, and it will generate a certificate on the fly.
01:10The problem with'adhoc' mode is there’s no CA signing cert.That means you’ll get a warning message, like this one from Firefox, telling youthat the certificate is invalid.
01:21If you’re just trying to test your code in HTTPS,you can accept the risk and continue. Similarly,curl has--insecure. Using this parameter,you can tell it to ignore whatever certificates come down and just assumethey’re valid. Using the Flask'adhoc' mechanism andcurl’s--insecure parameter,you can skip past all of the certificate generation steps that I showed you inthe sixth and seventh lessons. Alternatively,there’s an open-source library called OpenSSL.
01:52It provides tools for using SSL and TLS. It’s available here.
01:58This rather long command line asks OpenSSL to generate a certificate.As you read through it, you’ll probably notice some phrases that are familiar.It’s asking for an X.509 certificate,it’s asking to use an RSA key to create it.-out cert.pem and-keyoutkey.pem are the public and private certificate files.
02:20This single command does what several hundred lines of code in the examples did.
02:26The questions thatopenssl will ask you when you run this command are the sameas the answers you would need to fill in themake_x509_name() name functionin theutils file.
02:37The output is a public certificate—in the previous command,it was namedcert.pem—and a private key—in the previous commandit was namedkey.pem.
02:46These are the equivalent ofserver-public-key andserver-private-key PEM filesin your code.Essentially what you did in the Python in this lesson is write a subset of whatopenssl provides for you. For your reference,here’s some links to some of the tools I’ve talked about in this course.
03:04lsof is the list open files command.I used it to look at the open ports on my machine.There’s a good how-to guide as to how to use that.nmap was the port scanner,which is available here.
03:17netstat is the Windows equivalent oflsof. You can find out more information onit here. This is the Pythoncryptography documentation,Flask’s documentation, the OpenSSL tool,and finally, Wireshark. If you want to drill down more,here’s some suggested reading.
03:37You can get more information on the history of cryptography through theWikipedia page.
03:42Wikipedia is also a great place for learning about TLS and RSA.Not done yet!You can drill down on modular arithmetic inside of Wikipedia, as well.
03:53And finally, this is an excellent article on how RSA works.I borrowed the numbers in my math explanation from his page.It saved me a lot of work.
04:02If you’re interested in the TCP layer and how sockets work,you can get more information on socket programming in Python in this article.Finally,you can get more information on using Flask and HTTPS together by reading MiguelGrinberg’s blog post. Before signing off,I would just like to acknowledge elconomeno, oksmith, and Lad Fury.
04:23They all contributed to the public domain with images, and thankfully to them,you didn’t have to see my crayon-based stick figure drawings.
04:32Thanks for your attention. I hope you’ve enjoyed the course.
mrford1291 onSept. 14, 2020
Hi, first let me say thank you.
I ran
Enter PEM pass phrase: * Running on https://127.0.0.1:5684/ (Press CTRL+C to quit)And then I tried to run curl and I got
desktop\code\certauth> curl --insecure ca-public-key.pem https://localhost:5684/Invoke-WebRequest : A positional parameter cannot be found that accepts argument 'ca-public-key.pem'.At line:1 char:1+ curl --insecure ca-public-key.pem https://localhost:5684/+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (:) [Invoke-WebRequest], ParameterBindingException + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.InvokeWebRequestCommandWhy is that? I have 2 separate windows open as well for powershell. Thank you and have a nice day.
Christopher TrudeauRP Team onSept. 14, 2020
Hello MrFord1291,
I think you’ve mixed up the command line parameters. You can either:
$curl--insecurehttps://...or
$curl--cacertkeyfile.pemhttps://...The first case tells curl to ignore any certificate problems. This is the equivalent of pressing the “Accept Risk and Continue” button in your GUI browser when you hit a page with a bad cert.
The second case is giving the cert to curl. It looks like you’ve mixed the two of them together.
Hope that helps.…ct
sacsachin onJan. 24, 2021
Great article.
aniketbarphe onDec. 26, 2021
Thank You!
alphafox28js onSept. 4, 2024
I appreciate the bash command line option given, and did utilize it, however, I am determined to get the last .pem file KO’d from my other discussion questions. I appreciate the path less taken, while it may be more in-depth, there is an underlying value to it that may prove useful at some point in time.
To any newcomers, stick with it, you got this! ;)
I absolutely loved this specifics of this course. Detailed, concise, to the point of the whys-and-hows.
Become a Member to join the conversation.
Course Contents
