Networks and communications
The course is part of this learning path
In this course you’ll take a deep dive into networks and communications controls, looking at Firewalls, DMZ and VPN among others.
Welcome to the session on SSL Labs and Security Headers. We're gonna look at headers in very simplistic terms, and look at particularly-, look at-, specifically looking at security and the security in what we refer to as transport mode security, which is basically you connecting to certain sites. And there are certain things we need to be aware of in terms of security. Let me-, so, let me turn to the machine and we'll look at SSL Labs. Now, SSL Labs is created by a company called Qualys, and Qualys, a lot of companies use Qualys for testing their browsers, testing their servers, for other types of security testing. So, on this little demonstration here, I'm gonna-, actually gonna test my browser. So, that's what, I'm gonna go and do, test my browser, and this is the Qualys SSL Labs SSL/TLS capabilities of your browser. Now, what, what does that mean, Mark? Well, SSL is 'Secure Socket Layer', and TLS is 'transport 'Transport Layer Security'. Now, these are encryption algorithms. SSL we don't use, is deprecated, and SSL renamed itself, but went and called itself 'Transport Layer Security'. But SSL is 'Secure Socket Layer', TLS is 'Transport Layer Security'. You can see here it's brought up my user agent header, which is basically a bit about my device telling me I'm using a Windows 10 device, and then it tells me that I should be using a good protocol and I should be using TLS 1.2 or 1.3. That is correct. TLS 1 and 1.1 have been compromised, so we can't use them for our encryption, so we should be using TLS 1.2 or 1.3.
And you can see it actually mentions about some vulnerability testing platforms, which I'm not gonna go into, but we can then see that the different protocol features of this tool, SSL, Secure Socket Layer, these are the deprecated ones we don't use any more. TLS 1 and 1.1, also we don't use, and you can see it says, 'No, not using those ones.' And then we've got the TLS 1.2 and 1.3. These are the encryption mechanisms that we should be using for connecting to sites, and then, as we go down, we've got something called cypher suites, and this is to do with encryption. A cypher suite is basically how your data’s encrypted. AES is 'Advanced Encryption Standard', which is a standard you will need to remember for the exam, AES, but transport layer security is telling you the level of security that you're applying to when you go to different websites. And obviously I'm gonna expand on this later on as the course develops, but this is talking about security, and how you protect your data by going onto it. If I go further down the website, you'll see something called 'mixed content handling'. This is where, if you go to a website, mixed content is basically you that maybe you're on a secure website, 'cause you've got that lock symbol in the top left-hand corner, which will change eventually. The plan is to get rid of that lock symbol. But sometimes, you might go to a website, and you might get a warning come up saying 'mixed content warning', which is basically indicating to you that the website is actually pulling information from a third-party source which is not secure, which basically means your session will be insecure.
So, that's something to-, obviously, to be mindful of in relation to that. So, that was talking about SSL Labs. Let's look at another one called Security Header. So, this website here obviously scans different websites to see how secure they are, and give you a sort of, a rating. It's a very simplistic rating. I've just typed in 'qa.com' already into this site, and I'm gonna do a scan on QA, and it gives it an A rating. And obviously, it gives you some positives in terms of the security header, the referrer policy, how the content security policy's put together. Gives us a warning, something to do with permissions policy, and as we go down there, it tells us what the raw header data is about that site, gives you the date and time when it's done. Permissions header, it's given you some potential-, some issues or some missing header information. It might not be critical, but it gives you some sort of information about the header of the site to give you some knowledge about how secure the websites are that you're going onto, and then it gives you some additional information where it actually tells you about the website themselves. How the browsers are configured, how secure the browsers are, and then it gives you some more additional information about that. Now, to do a comparison against it, that was QA, I'm gonna put in Google and just see what Google's rating is. Google.com I'm gonna go to, 'cause Google has lots of different domain names. Google.com has got a rating of D. That doesn't necessarily mean the website is really bad, it could be just how it's been configured, some weaknesses maybe in the security.
I'm not saying that it's hackable, but it has a few concerns, maybe, with some of the header information, and you can see there it's looking at the raw header information of Google.com. It's telling you about the-, how it expires, and obviously we'll go into a lot more detail when we go into encryption, and then it tells you potentially some missing header information, which has brought some of the security issues down in relation to it. But obviously, we can go into that and deal with it in a bit more detail, but I'm trying to keep this more high-level, just to show a comparison of looking at security headers in different companies. Hopefully, that's been helpful.
A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.