Since its introduction in 1991, World
The Wide Web has evolved so rapidly that it has now become one of the technologies used by many people around the world and is available on various platforms. Web services are not only used to share information, but have penetrated into more personal matters such as social media, e-commerce, and so on. However, web services were not originally designed to solve all the needs of today’s users. One important problem that has not been thought of at the beginning of manufacture is the security of data sent or received through web services. With the increasing use of web services in all fields, security is an important factor that needs to be considered by information owners and service providers. This can be applied in the form of using the HTTPS protocol for securing data passing on public communication lines (the Internet). Higher education as an educational institution has a lot of information that needs to be kept secret and not for public consumption such as login information, student data, lecturers, employees, and so forth. These data are widely used for services for the campus community through a variety of web-based system services. Utilization of the HTTPS protocol can be used to minimize data leakage in applications running on a web platform. With the increasing number of security threats in cyberspace, it is not enough to simply use the HTTPS protocol, but also must be followed by the correct settings in accordance with the recommendations set. Error
to get the primary key from the server machine in question or be able to read the server all data sent or received by the server and the user without any security at all (Man-in-the-Middle-Attack). Since the last few years many agreements have been agreed by various consortia to start using the HTTPS protocol as an absolute requirement that a site is considered good and safe by browser vendors. It also needs to be observed by the managers of the college website so that the pages of the institution’s website can still be displayed and enjoyed by its users in the future.
HTTP (Hypertext Transfer Protocol) is a stateless protocol that can be used for distributed, collaborative, and hypertext-based information systems that hypertext was introduced in the early 90s. This protocol uses the request-response model and is applied to the client-server architecture where the client-server browser as the client browser will send client HTTP Requests via port 80 (default) and the server will return the HTTP Response. The main problem of the HTTP protocol is the process of sending HTTP Requests and HTTP Request HTTP Response done without any security at all, so that someone who has access on the network is able to tap the information sent and can even tampering data) without being known by both parties. The attacker simply has access to one of the network infrastructures that is traversed and installs an application that is capable of tapping like Wireshark or Kismet. Every time an access request occurs via the HTTP protocol, the attacker will be able to see all the data sent, including the username and password that should be the password for the confidential information of each user
SSL is a protocol developed by Netscape and aims to provide data security using
various services, such as web services, e-mail, instant messaging, and so on. This protocol allows clients and client servers to communicate through a path that is designed to be free from eavesdropping, tampering, and message forgery attacks. SSL uses a symmetric encryption algorithm to secure data, while the key used to encrypt / decryption will be generated during the initial negotiations (handshake).
TLS (Transport Layer Security) is a protocol that aims to provide privacy and data integrity services between two communicating applications. This protocol consists of two layers, namely TLS Record Protocol and TLS Record Protocol TLS Handshake Protocol. TLS Record Protocol provides security by encompassing two things, namely symmetric confidential (AES) and reliable connections by providing guaranteed data integrity using hash functions (SHA-256). TLS Record Protocol is a protocol in which the TLS Record Protocol is tasked to produce blocks of data to be transmitted. The original data to be sent is broken down into fragments where each fragment will be compressed and added the calculation results from the MAC (Message Authentication Code) to detect the occurrence of data tampering processes. The compressed fragment is then encrypted using the agreed key and finally the SSL Record Header information is added to indicate that it is a packet that must be processed using SSL / TLS.
HTTPS is an HTTP protocol that is applied over the SSL / TLS protocol so that all security facilities provided by the SSL / TLS protocol will also be enjoyed by HTTPS users. HTTPS protocol by default to use SSL and TLS protocols. Although SSL and TLS have been developed long enough, at first the adoption rate was still very low until several cases occurred which later made many people realize that so far the data they considered safe could be read by others so easily. However, to this day there are still many real attacks aimed at the implementation of SSL / TLS or the SSL / TLS protocol itself.
Firesheep is an extension to the Firefox and Chrome browsers created by Eric Butler in 2010 that is able to demonstrate how to do HTTP session hijacking on various social media that still do not use the HTTPS protocol.
An attacker can simply connect to the same WiFI service as the victim and when the victim accesses a site without using the HTTPS protocol, Firesheep can read and do hijacking sessions on the victim’s account. Users will not realize that their account is accessed by others and the attacker also does not need to know the password from the victim because the password information has been stored in a session that was stolen.
HTTPS Stripping Attack HTTPS Stripping was the first attack made by Moxie Marlinspike in 2009 and was presented at the 2009 DC BlackHat conference. Attack try to redirect the link that points to the HTTPS protocol to the HTTP protocol.
BEAST (Browser Exploit Against SSL / TLS) is an attack that uses the chosen plaintext attack method to exploit weaknesses in CBC (Cipher Block Chaining) mode where an attacker who is able to guess the IV value (initialization vector) from the previous data block will be able to use it to get ciphertext data he wants . This attack was announced at the Ekoparty Security Conference in 2011 by Thai Duong and Juliano Rizzo. In experiments conducted on the PayPal site, BEAST takes about 2 seconds to decrypt each byte of the encrypted cookie. The solution to this problem is to use the latest version of TLS.
CRIME (Compression Ratio Info-Leak Made Easy) is an attack that utilizes side-channel attacks to attack cookies on connections that use protocols compression. By utilizing this attack, an attacker can get some or all of the data from cookies so that it can be used to do session hijacking. The solution to this problem is to disable the compression facility on the SSL / TLS level protocol.