Web Servers
Web servers play an essential role in the modern world, acting as the backbone of the internet. They store and deliver the content we see on websites, from static web pages to complex applications. When you type a URL into your browser, a web server receives your request, retrieves the necessary information and sends it back, allowing you to access the desired content. This seamless process underpins countless aspects of our lives, from online shopping and communication to education and entertainment. Without web servers, the internet as we know it wouldn’t function, highlighting their critical importance in today’s digital landscape.
HyperText Transfer Protocol (HTTP)
The protocol used to access resources on the internet is HyperText Transfer Protocol or HTTP. By default, HTTP uses port 80, however, any port can be used to transfer HTTP. To demonstrate how it works, I will open an internet browser, in this case Google Chrome.
In order to see what is happening in the browser, I will press F12 to open Developer Tools. Developer Tools allow me to inspect the data and elements on the web page which can be very useful for troubleshooting. There are a lot of options in here, so in this case I will select the tab “Network”. This will show me the data that has been transferred between the web server and the computer using the HTTP protocol.
I will now select a link on the current web page, to open a new one. This will show me what files were transferred using HTTP when the page was opened. This is a pretty simple website, so there is not too much on it, but it gives you an idea what kinds of things are transferred.
I will now select one of the documents. You can see, in the preview section, the web page is shown. This is essentially the text of the web site, while additional components like images are missing as they are downloaded separately.
The next file is a css file. This file contains configuration information for parts of the website such as font size, color, spacing, etc. Changing this file allows the look and feel of the web site to be changed without changing any of the underlying content.
The next file is a Java Script file. Java Script is a high-level, interpreted programming language that is used on a lot of websites. The code is executed on the user’s device and allows for features that are not possible using standard websites, for example, having interactive elements, live updates, animations and image carousels.
The next file down is an image file. You can see the granular approach the web page uses. Since everything is broken down into separate files, it makes it easy to cache them. To save bandwidth, the computer may cache frequently used files like images. This means they store a local copy of the image instead of downloading it every time a page using that image is loaded.
The last file is a font file. You can see that HTTP is a protocol primarily designed for downloading files. Thus, the client can download any file stored on the web server.
This website seems relatively straightforward. I will open a more complex one, though it is still fairly simple compared to many others you will find online. You will notice that even after the website has appeared, more files are being downloaded. Websites are not always static. In the background, they may be downloading new files, for example, changing the ads or other content on the website.
I will now open a webpage that does not exist. Most websites will display a message saying the page was not found, often with a reference to a 404 error.
I will now scroll up to the top of the file list. You will notice that the first file has a status code of 404. Code 404 means file not found, which is expected since the page does not exist. Most websites, when a 404-status code is encountered, will re-direct the user to a not-found error page. You can see the next status code is 200. 200 is the status code for “OK”. Thus, technically, 404 is not an error code but a status code. For example, links to temporary web pages can expire after a set time period, leading to a 404-status code when you try to access them, but that is to be expected and technically not an error.
HyperText Markup Language (HTML)
Webpages use HyperText Markup Language better known as HTML. HTTP is used to serve HTML web pages to the client. HTML is a markup language. A markup language defines the structure of the document and in the case of HTML uses tags. Shown here is an example of a HTML page.
For the A+ exam, you don’t need to know a great deal about HTML pages. Just knowing that they are a document that holds web pages should be enough. I will present this information to help you recognize one when you see it and help you troubleshoot problems.
The first line will define the document type. This will tell you the file is HTML and what version it is. HTML uses tags. A tag is, essentially, like having a switch that you can turn on and off. You can see the tag for the title of the web page. The tag name is enclosed within less than and greater than signs. Once this open tag is found, everything after that will be considered part of the title, that is, the title switch has been turned on.
Each tag needs to be closed. To do this, a closed tag is used. A closed tag is the same as for the open tag but has a forward slash before it. This is, effectively, the off switch, so turns the tag off.
There are also self-closing tags. These tags are a single tag with a forward slash at the end. This means the tag opens and closes itself. It is often used to define values on the web page.
For the exam, you won’t be required to create any web pages or understand how they work. The main point to remember is that HTTP is used to transfer the HTML web pages to the client.
Uniform Resource Locator (URL)
Web pages are accessed by Uniform Resource Locators, more commonly called URLs. The main three parts of a URL are the protocol, FQDN and file path.
The first part of a web address is the protocol. So far, I have only looked at HTTP. HTTP has a major drawback – it transmits data in plain text, unencrypted. This is a concern in today’s internet, where we frequently share sensitive information, like credit card details, on websites.
You will find that some web browsers will have HTTP disabled or display a warning screen if you try to use it. Nowadays, HTTPS is the default protocol for web page transfers. I will look at HTTPS next, but it is essentially a secure version of HTTP.
FQDN stands for Fully Qualified Domain Name, which is just another way of saying the Full DNS (Domain Name System) address. The last part is the file path which is optional. If no file path is provided, the web server will default to a particular file, usually a file like index.html. Although the file path resembles a folder structure, it can also be a logical path to instruct the server how to deliver content, for example, if the file path leads to a search query.
URLs can also support other protocols, for example, FTP. The main takeaway is, you should remember that at the top of your internet browser is the URL. If you see an address that uses the format shown, it may be referred to as a URL.
Hypertext Transfer Protocol Secure (HTTPS)
Hypertext Transfer Protocol Secure or HTTPS, is the secure version of HTTP. It uses TLS to encrypt the data traveling over the connection. I will cover TLS shortly, so don’t worry about it for the moment.
HTTPS uses port 443 by default. Essentially, TLS provides secure communication for HTTP. So technically, HTTPS works the same as HTTP other than it being encrypted.
When a connection is made using HTTP, the connection is unencrypted. This means any data traveling over the connection can potentially be read by an attacker, known as a man in the middle attack. A man in the middle attack is when the attacker places themselves between the sender and the receiver intercepting any communication. Any unencrypted data is very easy to copy.
HTTPS addresses this by encrypting any data traveling between the sender and the receiver. The attacker in the middle won’t be able to read any of the data.
TLS can also be used with other protocols, such as FTP, e-mail and others. If you want to check if your website is using TLS, most internet browsers will show if the connection is secure in the title bar. In the case of Google Chrome, there is an icon for viewing website information in the title bar. Other internet browsers will display this information differently, for example, some may display a locked or unlocked padlock to show if the connection is secure or not.
You will notice the connection is shown as currently being secure. This means that information like passwords or credit card details will be encrypted.
I will now select another tab which has an unsecure connection. You will notice, in the task bar, it is shown as “Not secure”. Since HTTPS is now the preferred connection, you can see that, when a connection is not secure, Chrome makes it very clear this is the case since unsecured connections are no longer the norm.
You will notice there is more information about the connection not being secure, given that any information like passwords or credit cards could be read by an attacker. Thus, when you are using a web browser and see that the connection is not secure, you should be careful what information you transfer over it.
Transport Layer Security (TLS)
The current protocol uses Transport Layer Security or TLS to encrypt HTTP traffic. It is built on top of an older protocol called Secure Sockets Layer or SSL. SSL, nowadays, is deprecated, but the terminology is sometimes still used. So, when you see SSL, just think TLS.
For the A+ exam, you don’t really need to know much about this protocol. Just remember that the terms TLS and SSL get used interchangeably. SSL was officially deprecated in 2015, so modern systems should use TLS. SSL has known security vulnerabilities, so if you ever get the choice to use SSL, don’t, use TLS instead.
To understand the underlying security used in websites, I will use the standard encryption example of Alice, who is attempting to communicate with Bob. Eve wants to either eavesdrop or hijack the conversation. However, since this is an ITFreeTraining video, I will make one minor change.
Guru Pixelpaw: Alice and Bob think they can communicate in peace, but not with me around. Hehehe!
Symmetrical Encryption
For the A+ exam, you don’t need to know encryption to this level of detail; however, having a bit of context I think will help you understand how TLS keeps network traffic secure. Symmetrical encryption uses the same key for encryption as for decryption.
The problem with symmetrical encryption is both sides need the same key. So, you need to transfer the key between users, which means an attacker in the middle could copy it.
Guru Pixelpaw: I now have your secret key, so I can decrypt all your data. Hehehe!
The key can be of different sizes; higher key sizes give better security but have slightly higher hardware requirements. Advanced Encryption Standard or AES is currently considered the gold standard for symmetrical encryption. You will find, nowadays, a lot of devices use it.
So, the first problem that we need to solve is, how do we transfer the key between the two users and protect it from being stolen?
Asymmetric Encryption
To get around this problem, asymmetric encryption is used. Asymmetric encryption uses two keys. A private key and a public key. Therefore, Alice needs to create two keys. The private key, Alice needs to keep safe and can’t share it with anyone.
The public key, however, Alice can share that with everyone. So even an attacker can copy the public key.
Guru Pixelpaw: I have the public key, but it is not very useful to me unless I want to send Alice a message. Which I don’t.
Now, when Bob wants to send a message, he uses the public key to encrypt the message. Bob can now send the message to Alice. An attacker can copy the message but will not be able to decrypt the message without the private key.
Alice will be able to decrypt the message because she has the private key. I will not go into details about the math involved, but without the private key, you have to try all the different combinations to find the one that works. With the private key you know which one to try, so you only need to try once.
Even though you only have to try the one combination, asymmetric encryption is much slower than symmetrical encryption. Thus, it is not suitable for large data files, it is just too slow.
Guru Pixelpaw: They are forgetting one thing, I have access to a data center, so I will decrypt the message without the private key using all the computers in the data center. I just need to estimate how long it will take. Maybe in one million years! Ohhh, foiled again!
Certificates
There is one more topic I need to look at before looking at websites and that is certificates. Certificates are used to establish trust and secure communications between two devices.
You can see here, an example of a certificate. If I select the details tab, you can see it is basically a file that contains fields and data. So, a certificate is a standard that defines how data is stored in the file. Using a standard format allows the certificate to be used on different computers, including those that run different operating systems.
The data defines the version of the certificate, the algorithm it supports, details of the issuer, what dates it is valid from and to, as well as other information. Don’t get confused by certificates, they are essentially just files. Later in the video, I will look at how Windows uses these certificates.
TLS Example
I will now have a look at a simplified example of how TLS works. There is a lot to TLS when you get into the details, but even a senior technician can get away with just knowing the basics.
To start with, Alice will send a request to the web server to create a new connection. The web server will respond back with its certificate. The device and the web server then agree on a session key.
How TLS determines the session key is quite intricate. Both sides use a series of calculations based on information they keep private. The end result is both sides come up with the same session key. This means the session key is never sent over the network.
Once both sides have the same session key, a secure channel is created using it.
Guru Pixelpaw: If the session key is never transmitted over the network, how will I steal the data?
The start of the communication uses the certificate which contains the public key for the server. Asymmetric is quite slow, but it is only used to create a session key. Once the session key is created, symmetrical encryption is used which is quite fast. You can see that using this combination allows us to have both a secure and a fast channel.
Certificate Verification
There are a number of checks that are done when a device receives a certificate to verify it is authentic and can be used for that website.
Guru Pixelpaw: I have set up a fake website using the domain name, example.com, but I will change the l to a 1. To make the website real, I have used the example.com certificate. Now all I need to do is trick Alice into going to my fake website. Hehehe!
When the device receives a certificate, the DNS name is checked against the DNS name in the certificate. If they do not match, your internet browser will give you an error message. When you get an error like this one, have a look at the message. It will tell you what the problem with the certificate was. In this case, the DNS name did not match that in the certificate. So, the attacker is trying to impersonate a different website using a fake DNS name.
Guru Pixelpaw: Foiled again, but I have some more tricks up my sleeve, hehehe!
Certificate Expired
One of the more common problems you will come across is certificates that have expired. All certificates have an expiration date. If you attempt to access a website and the certificate has expired, you will get a message like this one.
You can see the certificate has expired. An expired certificate does not automatically mean danger, but you should exercise caution. This could be a simple oversight by the website owner not renewing the certificate, but it’s also possible the website is no longer being maintained, making it vulnerable to attackers who might create a fake version to steal your information through phishing scams. Before proceeding with an expired certificate, consider how recently it expired (a very recent expiration might be an honest mistake) and whether the information you are accessing is sensitive. If the risk seems high, it’s best to err on the side of caution and find another source. Remember, expired certificates are a security question mark, so be aware of the risks before you enter any sensitive information.
You can see that the current date is also listed. If the date on your device is incorrect, it may report the certificate as expired when it is not.
If you decide you want to take the risk and proceed to the website, press the button “Advanced”. You will then be given the option of allowing you to proceed to the website at your own risk. The choice is up to you, just understand the risks involved.
Self-Signed Certificates
The next question is, can’t you just create your own certificate? Yes you can, and these are called self-signed certificates.
Guru Pixelpaw: I have created my own certificate for the website. Alice will never know the difference. Hehehe!
When Alice attempts to access the website, she will receive the following message. This is saying the certificate could not be verified against a certificate authority. Certificates use a hierarchical model based on trust. I will have a closer look at this in a moment, but essentially certificates build a chain of trust. You need to trust the certificates in the hierarchy that sit above the level of the certificate you are trying to use. To put it another way, any friend of yours is a friend of mine. Let’s have a closer look.
Certificate Hierarchy
To understand certificate hierarchy, consider you have the top level of the hierarchy, as you might have a royal figure such as a king. At the next level down, you have the king’s officers. These officers have been given the king’s stamp and can act on his behalf.
The officers stamp official documents with the king’s stamp, so that when the documents are presented to someone, they know the documents come with the authority of the king. The person receiving it sees the king’s stamp on the document and knows it is authentic.
Certificate hierarchies work the following way: At the top you have the Root Certificate Authority or Root CA. Below this you have intermediate CAs. Often, once the intermediate CAs are created, the Root CA is taken offline to protect it from being hacked. If an attacker were to gain control of the Root CA’s private key, all the security in the hierarchy would be compromised.
The next level down is the subordinate CA. This level is generally the level that will create certificates for websites. The number of levels shown is a common implementation of a certificate hierarchy; however, you could do it with less levels or more if you so wished.
Guru Pixelpaw: I created my own certificate for a website, there is nothing stopping me creating an entire certificate hierarchy. Hehehe!
Although you could create your own certificate authority, for example, a company may create their own internal certificate hierarchy, certificates work off a trust model. The device needs to trust the Root CA for it to work.
Windows has a certificate tool where you can view all the certificates in the local Windows certificate store. You can see all the Root CAs that are trusted by this computer. The vast majority are preloaded by Microsoft and also include other levels, such as intermediate CAs. They contain the commonly used Root CAs on the internet. Thus, if you are accessing a website on the internet that uses a commonly trusted certificate authority, it is automatically trusted. It means you have a built-in list of reputable sources to verify website identities automatically.
When a user tries to access a website and the certificate chain for that website is not available in the local certificate store, your internet browser will show the following message. Thus, the user will be alerted that the Root CA has not been trusted.
Guru Pixelpaw: Damm, foiled again.
There has been a lot covered in this video, so I will perform a summary of the major points.
Summary
For the A+ exam, I would focus on having a basic understanding of the following: HTTP is the protocol used by the World Wide Web to transfer pages and other resources. Web pages use HTML. HTML is a markup language designed for web pages.
HTTPS uses TLS to create a secure channel for HTTP. Essentially all the web traffic is encased in a secure channel. Certificates are used to establish trust and secure communications.
Your internet browser will give you information about if the communication is secure and details about the certificate. In the case of Google Chrome, I can click on the view site information icon to get more details. Your internet browser may be different.
Notice, the secure connection icon indicates a successfully established secure connection. This means that the browser downloaded and verified the website’s certificate, and has also verified any other certificates in the certificate chain.
You will notice at the bottom, the certificate is reported as being valid. If I select this, I can get more information about it. This certificate is issued by “Let’s Encrypt”. Let’s Encrypt is a free certificate service, assuming your web hosting provider supports it. There may be costs to getting a certificate, which can vary depending on who you get it from. The certificate services you pay for also perform more checks to make sure the website is legitimate, giving the user more trust in that website, this is why they cost more.
When a secure connection cannot be made, your internet browser will inform you. Look for a message like this or an icon such as an unlocked padlock. If there is a problem with the certificate, you will get an error like this. If you see such an error, it is up to you to decide if you want to continue accessing the website. Just understand the risks involved.
End Screen
I hope you have found this video informative. Have a look at our other videos from this course. Until the next video, thanks for watching.
References
“The Official CompTIA A+ Core Study Guide (Exam 220-1101)” pages 201 to 204
Credits
Trainer: Austin Mason http://ITFreeTraining.com
Voice Talent: HP Lewis http://hplewis.com
Additional voice Talent: Stuart Thomas Hall https://www.imdb.com/name/nm12181561/
Quality Assurance: Brett Batson http://www.pbb-proofreading.uk