Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,920 --> 00:00:08,070 Pay is the application layer protocol of Web sites as you probably know. 2 00:00:08,250 --> 00:00:17,770 So this is why you see Haiti T.P. slash slash flame going to be RIDO Google dot com and that will take 3 00:00:18,000 --> 00:00:22,130 a page TTP version of the Web site. 4 00:00:22,740 --> 00:00:29,970 Now if you look here it literally sends a text that looks like this to and from the servers. 5 00:00:30,180 --> 00:00:33,010 And this is the hasty ETP protocol here. 6 00:00:33,100 --> 00:00:39,600 It's saying that it's a hasty protocol it's talking about day servers and then below it you have the 7 00:00:39,600 --> 00:00:48,080 hastier mail code which is what you'll see if you look at the source code of the pages. 8 00:00:48,130 --> 00:00:54,640 It looks like there's so the GDP is in plain text. 9 00:00:54,720 --> 00:01:06,210 Now if by close this and actually go to Google and change it to Haiti GP s I am now running Hayes's 10 00:01:06,240 --> 00:01:16,590 E.P. over TLR or SSL has UDP provides the security services of Tellez because it uses tailless so data 11 00:01:16,620 --> 00:01:24,600 encryption authentication usually at the server side message integrity an optional client or browser 12 00:01:24,600 --> 00:01:32,880 authentication when you access a web site with hated CBS Web server will start the task to invoke SSL 13 00:01:33,090 --> 00:01:39,630 and protect the communication the server sends a message back to the client indicating a secure session 14 00:01:39,900 --> 00:01:45,690 should be established and the client in response sends it security parameters. 15 00:01:45,780 --> 00:01:52,260 So that means it will say I'm prepared to use this digital signature unprepared to use this key exchange 16 00:01:52,380 --> 00:01:53,310 algorithm. 17 00:01:53,310 --> 00:01:59,460 I'm prepared to use this symmetric key and the server compares those security parameters to his own 18 00:01:59,760 --> 00:02:01,090 until it finds a match. 19 00:02:01,090 --> 00:02:08,190 And this is called the hand-shaking phase the server authenticate the client by sending it a digital 20 00:02:08,190 --> 00:02:11,440 certificate which we will be covering next. 21 00:02:11,490 --> 00:02:18,030 And if the client decides to trust the server the process continues the server can require the client 22 00:02:18,030 --> 00:02:21,920 to send over a digital certificate to for mutual thanto occasion. 23 00:02:22,200 --> 00:02:23,670 But that doesn't often happen. 24 00:02:23,710 --> 00:02:31,890 But if you're looking for a full secure end to end session with authentication of yourself and the other 25 00:02:31,890 --> 00:02:39,660 side you would use certificates either side with digital signatures those digital certificate finding 26 00:02:39,810 --> 00:02:45,140 the authentication and you'll understand that a little bit more when we go to digital certificates the 27 00:02:45,170 --> 00:02:51,960 client generates a symmetric sesshin key like by using a yes and encrypts it with a serve as public 28 00:02:51,960 --> 00:02:52,440 key. 29 00:02:52,440 --> 00:02:58,080 This encrypted key is sent to the web server and they both use the symmetric key to encrypt the data 30 00:02:58,080 --> 00:02:59,900 they send back and forth. 31 00:02:59,910 --> 00:03:06,560 This is how the secure channel is established tailless requires a tailless enabled server browser and 32 00:03:06,590 --> 00:03:09,180 all modern browsers support TLR. 33 00:03:09,330 --> 00:03:16,620 As we saw on the Wikipedia page and in all of the browsers you'll see hastier CPS which will indicate 34 00:03:16,620 --> 00:03:23,940 that T.L. S is being used and you often see a padlock as well and all the browsers have some sort of 35 00:03:23,940 --> 00:03:32,960 equivalent of this in order for you to know that I hated CPS or hate ETP with T.L. less is being used. 36 00:03:33,270 --> 00:03:39,920 If this is not shown then the connection is not encrypted or authenticated and it will be sent in plain 37 00:03:39,920 --> 00:03:41,030 text. 38 00:03:41,160 --> 00:03:50,220 So just as you see here and all of the contents of the Web site just as I can see them now if HDTV is 39 00:03:50,220 --> 00:03:52,780 not used we look at a padlock here. 40 00:03:55,300 --> 00:04:02,020 We can see the technical details for what the encryption algorithms are. 41 00:04:02,080 --> 00:04:08,590 So in this case it's using less using elliptical curve with DIFI Helmar. 42 00:04:08,800 --> 00:04:19,120 The auction of rsa the symmetric key is a yes with 128 bits with a GCM mode of operation and Shaugh 43 00:04:19,120 --> 00:04:21,670 to 5 6 for data integrity. 44 00:04:21,670 --> 00:04:24,750 This had been negotiated between the client and the server. 45 00:04:24,790 --> 00:04:31,510 And if we look in why I don't watch soccer as a protocol analyzer so you can see the traffic as it goes 46 00:04:31,600 --> 00:04:32,780 in and out. 47 00:04:33,030 --> 00:04:40,950 I can see here the conversation that happened where my client or my browser is said these are things 48 00:04:40,950 --> 00:04:45,520 that I support and the server has responded. 49 00:04:47,520 --> 00:04:51,080 And say well this is what I would actually like to use. 50 00:04:52,120 --> 00:04:58,140 And then they provided the certificate with the digital signature and the public key on it. 51 00:04:59,020 --> 00:05:07,780 And on the Web site you can go to is SSL labs and if you enter in the web site or you are now of a site 52 00:05:07,780 --> 00:05:15,900 that is ruining Haiti CPS you can see more encryption options are off by that site. 53 00:05:15,960 --> 00:05:23,640 So here we can see that bank of america signature algorithm is Shaar to 5:6 with our say for the digital 54 00:05:23,640 --> 00:05:24,520 signature. 55 00:05:24,570 --> 00:05:26,940 We can see the chain of trust here. 56 00:05:26,940 --> 00:05:33,540 Bank of America's certificate a chain of trust comes down here and then we have the root certificate 57 00:05:33,540 --> 00:05:34,170 here. 58 00:05:36,460 --> 00:05:37,940 And the protocols. 59 00:05:37,960 --> 00:05:45,490 The server is prepared to use current interest in site and it gives you a rating for how good it thinks 60 00:05:45,490 --> 00:05:46,480 the site is. 61 00:05:47,780 --> 00:05:51,600 A final point on Haiti and a privacy problem. 62 00:05:51,600 --> 00:05:59,700 Something called the server name indication as an I is an extension to teach a class by which a client 63 00:05:59,940 --> 00:06:06,450 indicates which hostname is attempting to connect to at the start of the handshake process and you can 64 00:06:06,450 --> 00:06:09,800 see that represented here within Wireshark. 65 00:06:09,810 --> 00:06:11,460 We can see the server name. 66 00:06:11,460 --> 00:06:14,130 Do we do we w Daut outlook dot com. 67 00:06:14,130 --> 00:06:21,930 This allows a server to present multiple certificates on the same IP address and TCAP port number and 68 00:06:21,930 --> 00:06:29,760 hence allow multiple secure hasty T-P s web sites or any other service over Tellez to be secured by 69 00:06:29,760 --> 00:06:36,810 the same IP address without requiring all those sites to use the same certificate the desired hostname 70 00:06:36,930 --> 00:06:39,210 as you can see here is not encrypted. 71 00:06:39,360 --> 00:06:46,410 So an eavesdropper can see which site is being requested as an I is used to implement censorship and 72 00:06:46,410 --> 00:06:53,940 block sites as Sanai means if you're using Hastey CPS eavesdroppers can see what site you are going 73 00:06:53,940 --> 00:06:54,390 to. 74 00:06:54,570 --> 00:06:58,960 But then after that the communication is scrambled or encrypted. 8090