HTTP Security Overview

Questions and Answers

What is the main purpose of using Memcache in Facebook's architecture?

• To cache recent database query results (correct)
• To manage user authentication
• To store all database records persistently
• To replace the need for a database server

What is a major drawback of using Memcache?

• All writes go directly to the cache
• It requires heavy computational resources
• It eliminates the need for a database
• Cache misses can reduce performance (correct)

What challenge do startups face regarding scaling their web applications?

• They often handle consistent user loads
• They can afford expensive systems from the start
• Sudden popularity can cause scaling disasters (correct)
• They have expertise in datacenter management

In 2009, how many MySQL servers did Facebook utilize?

4,000 (D)

Which of the following is NOT a challenge in building a scalable web architecture?

Constantly increasing database size (A)

What does serverless computing primarily allow developers to avoid managing?

Server infrastructure (D)

Which of the following is a benefit of using cloud database storage?

Expert management by the cloud provider (A)

Which description best defines the characteristics of serverless computing?

Hides server management and infrastructure decisions from developers (B)

What kind of pricing model do cloud databases typically use?

Usage-based pricing (C)

Which of the following is NOT a feature typically associated with cloud database storage?

Manual backup processes (A)

What is a key benefit of using scale-out architecture?

Natural redundancy for failure tolerance (B)

Which of the following best describes the function of DNS load balancing?

Specifying multiple targets for a domain name (D)

What challenge does scale-out architecture present?

Managing multiple instances and distributing work (B)

How does a load-balancing switch enhance web server performance?

By inspecting session cookies for connection requests (B)

What is a characteristic of stateless servers in the context of load balancing?

Simplify the load balancing process (A)

What defines scale-up architecture?

Switching to a single, larger instance (C)

What role does load balancing serve in a server architecture?

It distributes incoming requests among multiple servers. (C)

Which statement about nginx is accurate based on its description?

It is a super efficient web server. (A)

What is a primary advantage of using cloud computing for startups?

Provides instant access to thousands of machines (B)

How does cloud computing typically bill users?

Based on the resources used like CPU core time and storage bytes (A)

Which of the following statements about virtualization is accurate?

It allows for the efficient use of physical resources (A)

What is the role of a load balancer in a cloud computing setup?

It distributes incoming traffic to various servers. (A)

Which of the following is NOT a benefit of cloud computing?

High upfront investment costs (C)

What does virtualization enable in the context of cloud computing?

High-level abstraction of server management (A)

In the context of cloud computing, what are common metrics that providers bill users on?

Resource usage like memory and network bytes (C)

What is a possible drawback of managing a web app backend using virtual machines?

Involves complex system building skills (D)

What is one of the main benefits of using load balancing in a web server environment?

It allows dynamic pools of servers to manage fluctuating connections. (B)

What is required for stateless servers to effectively handle load balancing?

A shared database must be accessible across all web servers. (B)

What is a common strategy to mitigate denial of service (DOS) attacks in web applications?

Implementing request rate limits. (A)

Which approach is employed to ensure a relational database can scale beyond a single instance?

Data sharding. (B)

What is typically needed when dealing with session state in a load balanced environment?

Fast access to session state is essential for performance. (B)

What type of attack involves an entity listening to a conversation to obtain confidential information?

Eavesdropper attack (A)

Which protocol does HTTP use to establish a secure channel?

SSL/TLS (A)

What does a public key certificate bind together?

An identity and a public key (A)

What role does the certificate authority play in public key infrastructure?

It verifies identities and issues public key certificates (B)

How is the session key created during an HTTPS connection setup?

Using the pre-master secret encrypted with the server’s public key (D)

What TCP port is commonly used for HTTP traffic?

80 (B)

What happens if a browser detects that a certificate is expired?

A warning message is displayed to the user (B)

Which of the following is NOT a protection offered by HTTPS?

Increased server speed (B)

Flashcards

Load Balancer

A software component that sits in front of a web server cluster, distributing incoming HTTP requests across multiple servers.

Stateless Web Servers

A design principle where the web server doesn't store information about the user's session between requests. Each request is treated independently.

Data Sharding

A technique to distribute database data across multiple servers to handle high volumes of data and improve performance.

Data Replication

A mechanism that ensures data availability even when server failures occur by creating multiple copies of data.

Memcache

A technique to improve performance by caching frequently accessed data in memory, reducing the time required to retrieve it from the database.

Sharded Database

A distributed database system where individual database instances are responsible for specific data segments, usually based on user id or some other hashing mechanism.

Cache Miss

A situation where Memcache doesn't have the requested data and needs to fetch it from the main database, leading to performance slowdowns.

Scale-Out Architecture

A design strategy that involves adding more servers to handle increasing workload. This contrasts with scaling up, which involves upgrading existing hardware.

Flash Crowd

The phenomenon of a website receiving a sudden surge in traffic, which can overwhelm its infrastructure and lead to outages.

Scale-Up

Increasing the capability of a system by adding more resources to a single instance, such as a larger server or more storage.

Scale-Out

Increasing the capability of a system by adding more instances of the same component, such as adding more web servers or storage devices.

DNS Load Balancing

A type of load balancing where the DNS server sends requests to different web servers based on a rotating schedule.

Load Balancing Switch

A specialized network switch that forwards incoming requests to different web servers based on load and other factors.

nginx

A powerful open-source web server software known for its high performance and efficiency.

Stateless Servers

Describes a system where different requests from the same user can be handled by different servers.

Statefull Server

A server that only responds to requests from a single client, making it ideal for load balancing.

Eavesdropper

A threat to HTTP communication where an attacker listens in on the conversation between a client and server, potentially gaining access to sensitive information.

Man-in-the-middle Attack

A threat to HTTP communication where an attacker intercepts communication between a client and server and modifies the transmitted data, potentially leading to data manipulation or unauthorized access.

Impersonation

A threat to HTTP communication where an attacker creates a fake website that mimics a legitimate one, aiming to deceive users and steal their sensitive information.

HTTPS

A protocol that enhances HTTP by adding a layer of security using SSL/TLS encryption to ensure secure communication between clients and servers.

Public Key Certificate

A process where digital certificates bind an identity, such as a domain name, to a public key, ensuring authenticity and integrity of communication.

Certificate Authority

A trusted entity responsible for issuing and verifying public key certificates and ensuring the authenticity of identities involved in digital communication.

Session Key

A temporary symmetric encryption key generated during the HTTPS handshake process, used by both the client and server to encrypt and decrypt communication.

HTTPS Handshake

A mechanism that uses a combination of public and private keys to securely exchange a pre-master secret, which is then used to generate the session key for encrypted communication in HTTPS.

Serverless Computing

A cloud computing model where the cloud provider manages servers and capacity planning, allowing developers to focus solely on their code without server management concerns.

Serverless Functions

These allow you to run your code without provisioning or managing your own servers. The cloud provider handles the infrastructure, scaling, and security.

Cloud Database Storage

A type of cloud database service where the cloud provider manages the database infrastructure and scaling, allowing you to focus on data storage and access.

Cloud Database Features

These cloud databases can have features like high availability, high performance, global replication, consistency, and security, often with usage-based pricing.

Managing Database Instances

Using cloud-based database services eliminates the need for managing your own database instances, such as setting up servers and configuring deployments.

Server Virtualization

Multiple virtual machines run on top of a single physical server, allowing for efficient resource allocation.

Virtual Machine Image

A disk image containing a complete virtual operating system and its applications, ready to be deployed on a virtual machine.

Cloud Computing

A model of computing that uses virtual machines to run applications on a network of shared resources.

Cloud Provider

A provider of cloud computing services, offering resources like virtual machines, storage, and databases.

Virtualization

The practice of running a virtual machine on top of a physical machine, enabling the creation of many virtual machines from a single physical machine.

Scalability

The ability to scale computing resources up or down quickly and easily as needed.

Scalable Platform

A web app backend that doesn't rely on virtual machines, but offers pre-built services like database storage and user management.

Study Notes

HTTP Security

• HTTP is a protocol for transferring web pages
• HTTPS is a secure version of HTTP
• HTTPS uses SSL/TLS to encrypt data and authenticate the website
• HTTP uses port 80 and HTTPS uses port 443

HTTP Threat Model

• Eavesdropper: listens to conversations (confidentiality)
• Man-in-the-middle: modifies content (integrity)
• Impersonation: pretends to be a different website
• Bogus website: (authentication, confidentiality)

HTTPS: Securing HTTP

• HTTPS sits on top of the SSL/TLS secure channel
• HTTPS (using https://) versus HTTP (using http://) -Different TCP ports (TCP port 443 for HTTPS, TCP port 80 for HTTP)
• All HTTP bytes are encrypted and authenticated using HTTPS
• No change to HTTP itself, just the communication channel

Public Key Infrastructure

• Public key certificates bind identity (e.g., domain name example.com) with a public key.
• Digital signatures ensure integrity.
• Certificate authorities (e.g., GoDaddy) issue public key certificates and verify identities.
• Preconfigured certificates are in web browsers.

Enabling HTTPS for a Server

• Web Hosting Providers may offer HTTPS security.
• You can request and install an SSL/TLS certificate from a Certificate Authority.
• SSL/TLS certificates need periodic renewal.

HTTP vs. HTTPS

• HTTP sends data in plain text, allowing hackers to see login credentials and passwords
• HTTPS sends sensitive data encrypted, making it hard to read for a hacker
• Data sent with HTTPS looks different to the hacker (abErgdy#uwitWLqxytllqp), different from HTTP ([email protected])

Website Access Requested

• A browser requests access to a website.
• The browser sends a request to the Web Server.
• An SSL/TLS certificate is sent from the server.

Browser Validates SSL/TLS Certificate

• The browser checks if the certificate is valid, not expired, and matches the domain name.
• Checks if the certificate is issued by a trusted certificate authority.

Establishing a Secure Connection

• Browser generates a "pre-master secret," encrypts it with the server's public key.
• The server uses its private key to decrypt the pre-master secret.
• A session key is created from the pre-master secret (symmetric encryption)

Large-Scale Web Applications

• Web application architecture involves web browsers, web servers and storage system
• Web servers/application servers handle incoming requests.
• Storage systems (databases-e.g., MySQL, mongoDB) hold data and serve requests (i.e., SQL or NoSQL requests).

Scale-Up vs. Scale-Out

• Scale-up involves increasing the resources of a single server (increasing the capacity of a single server).
• Scale-out involves adding more servers to handle increasing load (increasing the number of servers to proportionally increase capacity).

Load Balancing

• Distribute HTTP requests across multiple front-end web servers using load balancers.
• Front-end machine accepts initial connections then redirects them to back-end machines (using algorithms)
• DNS (Domain Name System) load balancing - Handles distributing requests across geographically distributed systems.
• DNS servers dynamically rotate among these targets.
• Load-balancing switch (Layer 4-7 switch) directs incoming packets and connections to appropriate web servers.
• Stateless servers simplify load balancing.

Nginx (“Engine X”)

• Efficient web server handling thousands of HTTP connections.
• Load balancing - Forward requests to front-end servers.
• Fault tolerance - Handles failures of front-end servers.
• Handles simple requests (static files).

Scale-out Architecture (assumptions)

• Stateless servers: Different requests from the same user are handled by different servers.
• What about session state? Accessed on every request, require specialized handling. (e.g., memcache)
• WebSockets connect browsers and servers, making load balancing challenging.

Scale-out Storage

• Traditional web applications use relational databases.
• Single database instances don't scale well.
• Data sharding spreads data across multiple instances.
• Data replication creates backups and handles failures.
• Applications must partition data effectively.

Memcache

• Main-memory caching system.
• Caches results of recent database queries.
• Faster access compared to databases (500 microseconds vs tens of milliseconds).
• Widely used in applications like Facebook (over 200,000 memcache servers).

Cloud Computing

• Cloud computing dynamically allocates and provisions servers.
• The cloud provider manages infrastructure and capacity.
• Pay-as-you-go model (pay for resources used).
• Suitable for start-ups and scaling needs of organizations.
• Virtualization (key concept for accessing servers remotely).

Cloud Computing Pros/Cons

• Pros: Pay-per-use, flexible scaling, lower upfront costs, access to vast resources, many APIs (Application Programming Interfaces)
• Cons: Internet dependency, security considerations, vendor lock-in, lack of control

Higher Level Interfaces

• Managing virtual machines requires substantial skills.
• Higher-level interfaces like container systems (Docker/Kubernetes) shield developers from complexities of OS management.
• Manage storage using cloud databases (handling storage and data).
• Serverless architectures delegate server management to the cloud provider.

Cloud Database Storage

• Cloud-based database services rather than running instances.
• High availability, consistency and performance are essential features.
• Use queries to define schema, access required data.
• Pay for usage, based on data access.

Serverless Computing

• Cloud provider dynamically manages server allocation.
• Hidden server management and capacity planning from the developer.
• Developers focus on providing code - functions that run in response to events.

Serverless Architecture

• Code execution based events/URLs (like web servers - HTTP).
• Serverless-specific platforms (e.g., Amazon Lambda).
• Manage scaling and reliability through the platform.

Content Delivery Networks (CDN)

• Distribute web app assets efficiently across multiple servers.
• Fast asset delivery with closer servers to end-users.
• Reduces load on the main web servers.
• Works well with static content.

Cloud Computing & Web Apps

• Pay-as-you-go model supports scalability.
• Useful infrastructure services (auto-scaling, monitoring, fault handling).
• Cloud APIs offer analytical, machine learning and other tools.

Discussion (When to Build In-house Data Center Instead of Cloud)

• High consistent demand
• Strict security requirements
• Latency concerns /Performance
• Customization, specialized hardware needs
• Long-term growth and resources needs
• High data transfer costs / large data volumes
• Compliance needs and disaster recovery
• Financial viability and long-term commitment

Description

This quiz covers the fundamentals of HTTP and HTTPS, including their differences, security protocols such as SSL/TLS, and the threat models associated with web communications. Test your knowledge on how these protocols protect data integrity and confidentiality against various security threats.