HTTP Security Overview

Questions and Answers

What is the main purpose of using Memcache in Facebook's architecture?

To cache recent database query results (correct)

To manage user authentication

To store all database records persistently

To replace the need for a database server

What is a major drawback of using Memcache?

All writes go directly to the cache

It requires heavy computational resources

It eliminates the need for a database

Cache misses can reduce performance (correct)

What challenge do startups face regarding scaling their web applications?

They often handle consistent user loads

They can afford expensive systems from the start

Sudden popularity can cause scaling disasters (correct)

They have expertise in datacenter management

In 2009, how many MySQL servers did Facebook utilize?

4,000

Which of the following is NOT a challenge in building a scalable web architecture?

Constantly increasing database size

What does serverless computing primarily allow developers to avoid managing?

Server infrastructure

Which of the following is a benefit of using cloud database storage?

Expert management by the cloud provider

Which description best defines the characteristics of serverless computing?

Hides server management and infrastructure decisions from developers

What kind of pricing model do cloud databases typically use?

Usage-based pricing

Which of the following is NOT a feature typically associated with cloud database storage?

Manual backup processes

What is a key benefit of using scale-out architecture?

Natural redundancy for failure tolerance

Which of the following best describes the function of DNS load balancing?

Specifying multiple targets for a domain name

What challenge does scale-out architecture present?

Managing multiple instances and distributing work

How does a load-balancing switch enhance web server performance?

By inspecting session cookies for connection requests

What is a characteristic of stateless servers in the context of load balancing?

Simplify the load balancing process

What defines scale-up architecture?

Switching to a single, larger instance

What role does load balancing serve in a server architecture?

It distributes incoming requests among multiple servers.

Which statement about nginx is accurate based on its description?

It is a super efficient web server.

What is a primary advantage of using cloud computing for startups?

Provides instant access to thousands of machines

How does cloud computing typically bill users?

Based on the resources used like CPU core time and storage bytes

Which of the following statements about virtualization is accurate?

It allows for the efficient use of physical resources

What is the role of a load balancer in a cloud computing setup?

It distributes incoming traffic to various servers.

Which of the following is NOT a benefit of cloud computing?

High upfront investment costs

What does virtualization enable in the context of cloud computing?

High-level abstraction of server management

In the context of cloud computing, what are common metrics that providers bill users on?

Resource usage like memory and network bytes

What is a possible drawback of managing a web app backend using virtual machines?

Involves complex system building skills

What is one of the main benefits of using load balancing in a web server environment?

It allows dynamic pools of servers to manage fluctuating connections.

What is required for stateless servers to effectively handle load balancing?

A shared database must be accessible across all web servers.

What is a common strategy to mitigate denial of service (DOS) attacks in web applications?

Implementing request rate limits.

Which approach is employed to ensure a relational database can scale beyond a single instance?

Data sharding.

What is typically needed when dealing with session state in a load balanced environment?

Fast access to session state is essential for performance.

What type of attack involves an entity listening to a conversation to obtain confidential information?

Eavesdropper attack

Which protocol does HTTP use to establish a secure channel?

SSL/TLS

What does a public key certificate bind together?

An identity and a public key

What role does the certificate authority play in public key infrastructure?

It verifies identities and issues public key certificates

How is the session key created during an HTTPS connection setup?

Using the pre-master secret encrypted with the server’s public key

What TCP port is commonly used for HTTP traffic?

80

What happens if a browser detects that a certificate is expired?

A warning message is displayed to the user

Which of the following is NOT a protection offered by HTTPS?

Increased server speed

Study Notes

HTTP Security

• HTTP is a protocol for transferring web pages
• HTTPS is a secure version of HTTP
• HTTPS uses SSL/TLS to encrypt data and authenticate the website
• HTTP uses port 80 and HTTPS uses port 443

HTTP Threat Model

• Eavesdropper: listens to conversations (confidentiality)
• Man-in-the-middle: modifies content (integrity)
• Impersonation: pretends to be a different website
• Bogus website: (authentication, confidentiality)

HTTPS: Securing HTTP

• HTTPS sits on top of the SSL/TLS secure channel
• HTTPS (using https://) versus HTTP (using http://) -Different TCP ports (TCP port 443 for HTTPS, TCP port 80 for HTTP)
• All HTTP bytes are encrypted and authenticated using HTTPS
• No change to HTTP itself, just the communication channel

Public Key Infrastructure

• Public key certificates bind identity (e.g., domain name example.com) with a public key.
• Digital signatures ensure integrity.
• Certificate authorities (e.g., GoDaddy) issue public key certificates and verify identities.
• Preconfigured certificates are in web browsers.

Enabling HTTPS for a Server

• Web Hosting Providers may offer HTTPS security.
• You can request and install an SSL/TLS certificate from a Certificate Authority.
• SSL/TLS certificates need periodic renewal.

HTTP vs. HTTPS

• HTTP sends data in plain text, allowing hackers to see login credentials and passwords
• HTTPS sends sensitive data encrypted, making it hard to read for a hacker
• Data sent with HTTPS looks different to the hacker (abErgdy#uwitWLqxytllqp), different from HTTP ([email protected])

Website Access Requested

• A browser requests access to a website.
• The browser sends a request to the Web Server.
• An SSL/TLS certificate is sent from the server.

Browser Validates SSL/TLS Certificate

• The browser checks if the certificate is valid, not expired, and matches the domain name.
• Checks if the certificate is issued by a trusted certificate authority.

Establishing a Secure Connection

• Browser generates a "pre-master secret," encrypts it with the server's public key.
• The server uses its private key to decrypt the pre-master secret.
• A session key is created from the pre-master secret (symmetric encryption)

Large-Scale Web Applications

• Web application architecture involves web browsers, web servers and storage system
• Web servers/application servers handle incoming requests.
• Storage systems (databases-e.g., MySQL, mongoDB) hold data and serve requests (i.e., SQL or NoSQL requests).

Scale-Up vs. Scale-Out

• Scale-up involves increasing the resources of a single server (increasing the capacity of a single server).
• Scale-out involves adding more servers to handle increasing load (increasing the number of servers to proportionally increase capacity).

Load Balancing

• Distribute HTTP requests across multiple front-end web servers using load balancers.
• Front-end machine accepts initial connections then redirects them to back-end machines (using algorithms)
• DNS (Domain Name System) load balancing - Handles distributing requests across geographically distributed systems.
• DNS servers dynamically rotate among these targets.
• Load-balancing switch (Layer 4-7 switch) directs incoming packets and connections to appropriate web servers.
• Stateless servers simplify load balancing.

Nginx (“Engine X”)

• Efficient web server handling thousands of HTTP connections.
• Load balancing - Forward requests to front-end servers.
• Fault tolerance - Handles failures of front-end servers.
• Handles simple requests (static files).

Scale-out Architecture (assumptions)

• Stateless servers: Different requests from the same user are handled by different servers.
• What about session state? Accessed on every request, require specialized handling. (e.g., memcache)
• WebSockets connect browsers and servers, making load balancing challenging.

Scale-out Storage

• Traditional web applications use relational databases.
• Single database instances don't scale well.
• Data sharding spreads data across multiple instances.
• Data replication creates backups and handles failures.
• Applications must partition data effectively.

Memcache

• Main-memory caching system.
• Caches results of recent database queries.
• Faster access compared to databases (500 microseconds vs tens of milliseconds).
• Widely used in applications like Facebook (over 200,000 memcache servers).

Cloud Computing

• Cloud computing dynamically allocates and provisions servers.
• The cloud provider manages infrastructure and capacity.
• Pay-as-you-go model (pay for resources used).
• Suitable for start-ups and scaling needs of organizations.
• Virtualization (key concept for accessing servers remotely).

Cloud Computing Pros/Cons

• Pros: Pay-per-use, flexible scaling, lower upfront costs, access to vast resources, many APIs (Application Programming Interfaces)
• Cons: Internet dependency, security considerations, vendor lock-in, lack of control

Higher Level Interfaces

• Managing virtual machines requires substantial skills.
• Higher-level interfaces like container systems (Docker/Kubernetes) shield developers from complexities of OS management.
• Manage storage using cloud databases (handling storage and data).
• Serverless architectures delegate server management to the cloud provider.

Cloud Database Storage

• Cloud-based database services rather than running instances.
• High availability, consistency and performance are essential features.
• Use queries to define schema, access required data.
• Pay for usage, based on data access.

Serverless Computing

• Cloud provider dynamically manages server allocation.
• Hidden server management and capacity planning from the developer.
• Developers focus on providing code - functions that run in response to events.

Serverless Architecture

• Code execution based events/URLs (like web servers - HTTP).
• Serverless-specific platforms (e.g., Amazon Lambda).
• Manage scaling and reliability through the platform.

Content Delivery Networks (CDN)

• Distribute web app assets efficiently across multiple servers.
• Fast asset delivery with closer servers to end-users.
• Reduces load on the main web servers.
• Works well with static content.

Cloud Computing & Web Apps

• Pay-as-you-go model supports scalability.
• Useful infrastructure services (auto-scaling, monitoring, fault handling).
• Cloud APIs offer analytical, machine learning and other tools.

Discussion (When to Build In-house Data Center Instead of Cloud)

• High consistent demand
• Strict security requirements
• Latency concerns /Performance
• Customization, specialized hardware needs
• Long-term growth and resources needs
• High data transfer costs / large data volumes
• Compliance needs and disaster recovery
• Financial viability and long-term commitment

Description

This quiz covers the fundamentals of HTTP and HTTPS, including their differences, security protocols such as SSL/TLS, and the threat models associated with web communications. Test your knowledge on how these protocols protect data integrity and confidentiality against various security threats.