How HTTPS Works in 10 Minutes

How HTTPS Works in 10 Minutes” is a simple, high-level overview of how HTTPS works. It doesn’t dive into too much detail or heavy math. But it does cover the main stages of how the connection is established, verified, and encrypted. These are the stages that are covered:

  1. You go to an HTTPS website via your browser
  2. The Client says “Hello”
  3. The Server says “Hello”
  4. The Client makes sure the SSL certificate is legitimate
  5. The Client gets the public key from the SSL certificate
  6. The Client uses the public key to make more random bytes
  7. The Client and Server make session keys
  8. The Client and Server compare session keys
  9. If the session keys match, game on

Packets-per-second limits in EC2

Packets-per-second limits in EC2” is an interesting dive into network limits on the Amazon EC2. Even if you aren’t hitting any limits yet, this article provides plenty of useful information, including benchmarking tools and quick reference links for Enhanced Networking.

The conclusion of the article is:

By running these experiments, we determined that each EC2 instance type has a packet-per-second budget. Surprisingly, this budget goes toward the total of incoming and outgoing packets. Even more surprisingly, the same budget gets split between multiple network interfaces, with some additional performance penalty. This last result informs against using multiple network interfaces when tuning the system for higher networking performance.
The maximum budget for m5.metal and m5.24xlarge is 2.2M packets per second. Given that each HTTP transaction takes at least four packets, we can translate this to a maximum of 550k requests per second on the largest m5 instance with Enhanced Networking enabled.

htrace.sh – HTTP/HTTPS troubleshooting and profiling tool

htrace.sh is a handy command-line tool for HTTP/HTTPS troubleshooting and profiling. It also integrates with a number of other security tools, like nmap, SSL Labs, subfinder, etc.

Advanced web security topics

Advanced web security topics” blog post goes over a variety of ways that a web application can get p0wned.  Some of these include:

  • Cross-site scripting (XSS)
  • Mime-type attacks
  • A variety of injections – SQL, JavaScript, HTTP
  • URL indexing
  • Click-jacking
  • … and more.