Secure Web Browsing - Computerphile

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
when you're building this web page and you go the content and banner across the top and a banner across the bottom ads down the side content is being fetched from different servers to fill in all the chunks of that page you might be asked for example and if your isp can replace one of these with the ISPs and server then they've essentially kicked out this ad network from the process so that ad network thinks that they're serving up and out the I the isp is replacing that with their own out which means the and that was kind of paying for something which they're not getting it also means that the isp is getting the benefit of this very popular page for exactly this might be the CNN from page for example and this ISP ad is now being inserted there in place and so everybody is going to see CNN web page they're getting the app that the ISPs insert it going so surely that Pope few people's noses out of joint it yes whoohoo yes it will and it with it's something that's yeah I i guess it's not really considered good practice but something that does happen the problem the lot of the original protocols used for the web is that they're completely insecure so then either confidential so all the data that you're transferring can be seen observed by anybody who happens to be in the able to sit in the network and see that they're completely unauthenticated even if you encrypt all the data so that nobody can sell tell what it is that as it's being transmitted and received and you might not have any idea that you're sending it to the right person receiving it from the right person so that does no authentication either and as a result of this it's possible to do a whole variety of attacks on traditional web protocols where you can intercept communications for example and maybe insert bad data into that that sequence of exchanges or you could the redirect somebody to a different website and they thought they were getting too because there's no the essential to the person who's making the communication the person who's running the web browser has no way to check that they're actually getting it from the real side that they thought and TLS kind of fixes a lot of that by providing means both to encrypt the data in the communication but also provide the means to authenticate the sender and receiver so that you can tell that you're actually getting it the website you thought you were getting it from I remember doing a video where we looked at how a website isn't just what you get from one page is made up of all sorts of things so does not further complicating that complicates things in the sense that when you get the original page the original page will so the first place to go to the URL you go to will have some kind of base page and then you'll fetch the data from that web server and your web browser will start rendering our data and putting it up on the screen for you and it will then be filling in holes in our data which have references to other objects on the web so they might be simple images they might be complex subpages there might be adverts from an advertising so I don't we all saw all sorts of things that are necessary to fill in the gaps in that base page and because of that sort of complexity of that structure you end up relying on a lot of other servers all doing the right thing and all behaving appropriately and those servers or networks which are not the network to which were initially connected you might be fetching data from all over the planet in order to build that the page that's going to be rendered and because of that just because of that complexity and diversity that becomes a lot of weaklings a lot of potential the weak links in that if you use TLS to encrypt all those connections you've got a better chance and authenticate all those connections you got a better chance that data you're getting is the data you intended to get another data that somebody who was in the middle of those networks inserted you've got the symbol for web browser let's go old school yeah this is your web browser and you got the first server that you go to have no imagination today sever.com so you're going to make a connection to that server to send a request and you're going to get some page that comes back and then you might have more requests to go to that server you might have requests to go to other servers out there as a result that's the set of connections is one and then you might have a bunch of other requests that all get sent out to a bunch of different networks possibly multiple to the same then you have a bunch of things come back and images come back and has come back and this is what happens is the page is slowly slowly they built if you look at a web page where I know this hasn't been fully thought through or maybe you're accessing from a network that's a bit slower than normal you might see this happening so as the page renders things move around a bit because it's a bit of being filled in as the responses come back for the different servers causing everything else to jump event of it the problem is that any of these connections and these are all using HTTP then there's no way for the browser to verify the data that's coming back here is actually coming from this server they could be coming from somebody else instead and there's nothing inherently that stops that being the case there's a bit of work that needs to be done for this attack to happen if this guy just starts any bad data to the browser the browser is not expecting in the browser will just bin it and nothing happened about the operating system just bin it but if this guy happens to be able to observe this initial request going out it might be able to observe enough of the information out in order to be able to insert data before the response comes back from the real server for example which could significantly confuse things so this is the sort of attack that will happen if you've got an isp doing this kind of thing for example so your network provider chooses to try and insert data onto the web pages you're visiting then instead of you getting the data that comes back the server what happens is this is all going through the ISPs network is simplistic to say we just ask a server for stuff because there are all sorts of computers in the way on them yeah so leave these packets that are flowing to make the request and the packets of the flowing to come back the response each of those packets can be manipulated and interfered with in some way and so what can happen is that the the package come through here and then the isp redirect those packets to the isp server and then you see these responses coming back for you nice piece over and there was no way for the originator of the request to tell that was what they expected to happen at least in the default case and set the HTTP if you have a tts which means that you're using the protocol called TLS then what happens is that there's an initial connection setup that happens and so the isp tries to redirect these connections down there then there will be an exchange that takes place before the request is sent which means that this computer here will attempt to authenticate that computer there and it will say no no that's not the right one that's not what I expect to https is basically HTT P being carried on top of layered over TLS which is then led over tcp normally speaking HTTP is layered on top of TCP/IP all the way down then what happens is with HTTPS is if I'm going to example.com I expect to get the right and back for yet so if that was what roughly speaking you have an exchange of certificates so the connection is made and then past the initial negotiation that happens is that this server presents information to the client saying this is all the information that i could only have if I had access to this certificate so go and check it against a certificate and the client will say okay so I need to go to find it's certificate to check it against there's actually a hierarchy that will sort of bubble back up to the top so you're you're so that might be down here and your client trying to access that and they may have to check against multiple points to keep checking that has been signed with the right certificate to get back up to the top and at the top that certificate will be something is actually embedded inside the browser and so the client can then check against that which is already has and it's already it doesn't have to rely on anything network to get that it's got that built in and if that checks out then it knows that this sequence of signatures has been validated at every step and so it can trust this server to be the server that he claims to be the fundamental thing behind all that is the idea that this server can only respond currently provide that information if it has access to this secret and that secret has been signed by another secret and so you go back up the chain of the secret signing of the secret signing on the secrets to get to what you already knew at that point you there then you can be certain of that chain is not infinitely it's a trust thing isn't it based upon somebody you know you trust - they trust who they trust it is yeah and and ultimately get back to what thats built into the browser itself one of the things that happens then it becomes a big deal when another entity is allowed to put another certificate inside the browser so you have a bunch of these that are embedded in the browser for these root certificates and if you got one of those root certificates it means you can sign other people certificates and they can sign other people certificates and so you can end up if you let you know did you sign the wrong certificates for somebody they can go and create stuff which they will say okay - when they should I think we touched on this briefly when we did a superfish video tom scott but what's happening now with this ISP then also what's happening for example is you can have this other service called let's encrypt it started when you can get your own certificates relatively lightweight fashion from this which is a good thing in many ways because it means it's easier for you to do this on the other hand one of the things they have to do in order to make that service really viable was get their root certificate embedded in all these browsers and so that means that these certificates no longer pop up and throw an exception so we don't know where this one comes from it's about it you have a you have a problem a similar problem in it without involving let's encrypt where you just have people doing what i call self-signed certificates so the certificate that gets checked essentially doesn't have this hierarchy it's just a significant onto itself and so the browser look at that it goes well this is signed by itself essentially so it was signed by the same entity that issued the certificate which means that on the one hand this is going to be an encrypted connection so it's all gonna be fine and it checks out as far as i know on the other hand I haven't been able to ask anybody else to verify this for me so it's still just you claim to be whoever you claim to be and I've got another way of checking that out which is why lot of browsers increasingly browsers will start to chant at you and say this is a self-signed certificate do you really want to trust this watch your back yeah because there's no there's no external validation that actually the identity is done that really is the entity who says that they say they're so you can have this sort of thing happening you can actually have this kind of attack wait not quite yet attack where the browser is trying to get to the server the ISP servers used to intercept that can happen with TLS as well because you can essentially have the connection gets routed down to the isp server and then the isp server will manufacturers certificate with which to claim ownership of the address of the name that the client is trying to access and if it presents that back and the client believes for example in self-signed certificates all the isp controls enough of the chain of trust that they can produce a certificate for the ice that the client browser will trust then at that point this server to all intents and purposes even on HTTPS connection appears to be the right server so one piece of advice for your humble user out there who's got all this happening behind the scenes what would it be a humble user out there shields up on your browser right listen to the warnings so if you've got different things near padlocks are not being closed and they should be or the deposit in red we got a warning pop up saying this is a self certificate, are you really sure? don't just click yes and accept everything all right it's trying to the system is trying to tell you something unfortunately a lot of the time it's telling you something which is irrelevant or is telling you something you can do nothing about so it's either visit the site with don't visit the site but it is actually trying to tell you something and you should pay attention to it you might just get in the habit of looking yeah yeah whatever you shouldn't really do that if you really care then you pay attention to that and you we don't go through when it systems warning that something you don't go through that the problem is that a lot of the time as warnings or rather irrelevant or you can do nothing about it other than stop whatever you're doing which is often not acceptable to people is it is a way you could circumvent any of those problems are in private browsing if you that private browsing stop it attempts to stop information leaking between browsing sessions but fundamentally private browsing or not you're going to the website and it's the wrong website and it's got malware on it then your browser is still going to get owned. alright, or you know if you type in your bank details and you type them into the wrong website then you still type them into the wrong website private browsing doesn't help with that along with his state and the operations around it and this can represent the other paddle so we got two objects world on your everyday physical experience let's get the google glass in there there it is i think i'd be tempted to position it a bit further along the line here
Info
Channel: Computerphile
Views: 193,008
Rating: undefined out of 5
Keywords: computers, computerphile, computer, science, http, https, secure web browsing, encryption, web, websites, world wide web, TLS
Id: E_wX40fQwEA
Channel Id: undefined
Length: 12min 19sec (739 seconds)
Published: Tue Mar 22 2016
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.