In this newsletter, we will talk about the following: How does HTTPS work? How to store passwords safely in the database and how to validate a password? How to learn design patterns? How does HTTPS work? Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP.) HTTPS transmits encrypted data using Transport Layer Security (TLS.) If the data is hijacked online, all the hijacker gets is binary code.
Thanks for writing this article. The content is easy to read and is very valuable. I have a comment on the password storage part. While the use of hashing is conceptionally correct, there are different kinds of hashing algorithms and most people would assume the simplest one (e.g. SHAS256). The practical one that is suitable for password hashing is discussed in https://en.wikipedia.org/wiki/Cryptographic_hash_function#Password_verification, which includes PBKDF2, scrypt and Argon2.
I really like the way HTTP vs HTTPS are described, in eay language, please do post negative scenarios or in which cases HTTPS is must or cases where HTTP outperform HTTPS
I have a question: if the session key generated on the client side is stolen by the hacker, wouldn't the hacker be able to decrypt the information just like what they could with public key if there is no session key? why is session key safer than public key?
Thanks for writing this article. Actually have a very simple question for step 2 of "validating password" process. How system fetch the corresponding salt of a password ? There might be cases where multiple salts corresponding to one single password right (multiple user having the same password), how does the system determine the right salt.
How does HTTPS work? (Episode 6)
Thanks for writing this article. The content is easy to read and is very valuable. I have a comment on the password storage part. While the use of hashing is conceptionally correct, there are different kinds of hashing algorithms and most people would assume the simplest one (e.g. SHAS256). The practical one that is suitable for password hashing is discussed in https://en.wikipedia.org/wiki/Cryptographic_hash_function#Password_verification, which includes PBKDF2, scrypt and Argon2.
I really like the way HTTP vs HTTPS are described, in eay language, please do post negative scenarios or in which cases HTTPS is must or cases where HTTP outperform HTTPS
Hey Alex, Thank you for the information.
I have a question: if the session key generated on the client side is stolen by the hacker, wouldn't the hacker be able to decrypt the information just like what they could with public key if there is no session key? why is session key safer than public key?
The cipher may change over time, do you recommend migrating the passwords or making the design backward compatible
Note, you can also mention secure coding. How would you go about actually implementing the salt in the backend of a database
Thanks for writing this article. Actually have a very simple question for step 2 of "validating password" process. How system fetch the corresponding salt of a password ? There might be cases where multiple salts corresponding to one single password right (multiple user having the same password), how does the system determine the right salt.