Locked learning resources

Join us and get access to thousands of tutorials and a community of expert Pythonistas.

Unlock This Lesson

Locked learning resources

This lesson is for members only. Join us and get access to thousands of tutorials and a community of expert Pythonistas.

Unlock This Lesson

Exploring HTTPS and Cryptography in Python (Summary)

In this course, you’ve learned some of the core underpinnings of secure communications on the Internet today. Now that you understand these building blocks, you’ll become a better and more secure developer.

Throughout this course, you’ve gained an understanding of several topics:

  • Cryptography
  • HTTPS and TLS
  • Public Key Infrastructure
  • Certificates

Here are resources for more information on the topics discussed in this course:

Download

Sample Code (.zip)

13.2 KB
Download

Course Slides (.pdf)

1.8 MB

00:00 Thanks for sticking with me this far! This course has talked about HTTPS, I showed you how to build a simple Flask server, the basics behind cryptography, how to strengthen your server using Fernet ciphers, why asymmetric key exchange and public and private keys are important, how to write code in Python to be a Certificate Authority, using the certificates generated by your Certificate Authority to host a Flask server using HTTPS, and now, I’m going to talk about a couple of simpler ways of generating those certificates and provide you with some further reading.

00:36 This course has taught the long way around as to how to get certificates. I did that in the hope that you’d have a better understanding of how the pieces fit together. In real life, if you need one of these certificates, there’s usually ways around it. First off, if you’re developing in Flask it has an 'adhoc' mode. Inside of your code, instead of setting the ssl_context to be the public and private keys, you can set it to the keyword 'adhoc'. Flask will start the server, it’ll listen on HTTPS correctly, and it will generate a certificate on the fly.

01:10 The problem with 'adhoc' mode is there’s no CA signing cert. That means you’ll get a warning message, like this one from Firefox, telling you that the certificate is invalid.

01:21 If you’re just trying to test your code in HTTPS, you can accept the risk and continue. Similarly, curl has --insecure. Using this parameter, you can tell it to ignore whatever certificates come down and just assume they’re valid. Using the Flask 'adhoc' mechanism and curl’s --insecure parameter, you can skip past all of the certificate generation steps that I showed you in the sixth and seventh lessons. Alternatively, there’s an open-source library called OpenSSL.

01:52 It provides tools for using SSL and TLS. It’s available here.

01:58 This rather long command line asks OpenSSL to generate a certificate. As you read through it, you’ll probably notice some phrases that are familiar. It’s asking for an X.509 certificate, it’s asking to use an RSA key to create it. -out cert.pem and -keyout key.pem are the public and private certificate files.

02:20 This single command does what several hundred lines of code in the examples did.

02:26 The questions that openssl will ask you when you run this command are the same as the answers you would need to fill in the make_x509_name() name function in the utils file.

02:37 The output is a public certificate—in the previous command, it was named cert.pem—and a private key—in the previous command it was named key.pem.

02:46 These are the equivalent of server-public-key and server-private-key PEM files in your code. Essentially what you did in the Python in this lesson is write a subset of what openssl provides for you. For your reference, here’s some links to some of the tools I’ve talked about in this course.

03:04 lsof is the list open files command. I used it to look at the open ports on my machine. There’s a good how-to guide as to how to use that. nmap was the port scanner, which is available here.

03:17 netstat is the Windows equivalent of lsof. You can find out more information on it here. This is the Python cryptography documentation, Flask’s documentation, the OpenSSL tool, and finally, Wireshark. If you want to drill down more, here’s some suggested reading.

03:37 You can get more information on the history of cryptography through the Wikipedia page.

03:42 Wikipedia is also a great place for learning about TLS and RSA. Not done yet! You can drill down on modular arithmetic inside of Wikipedia, as well.

03:53 And finally, this is an excellent article on how RSA works. I borrowed the numbers in my math explanation from his page. It saved me a lot of work.

04:02 If you’re interested in the TCP layer and how sockets work, you can get more information on socket programming in Python in this article. Finally, you can get more information on using Flask and HTTPS together by reading Miguel Grinberg’s blog post. Before signing off, I would just like to acknowledge elconomeno, oksmith, and Lad Fury.

04:23 They all contributed to the public domain with images, and thankfully to them, you didn’t have to see my crayon-based stick figure drawings.

04:32 Thanks for your attention. I hope you’ve enjoyed the course.

Avatar image for mrford1291

mrford1291 on Sept. 14, 2020

Hi, first let me say thank you.

I ran

Enter PEM pass phrase:
 * Running on https://127.0.0.1:5684/ (Press CTRL+C to quit)

And then I tried to run curl and I got

desktop\code\certauth> curl --insecure ca-public-key.pem https://localhost:5684/
Invoke-WebRequest : A positional parameter cannot be found that accepts argument 'ca-public-key.pem'.
At line:1 char:1
+ curl --insecure ca-public-key.pem https://localhost:5684/
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Invoke-WebRequest], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

Why is that? I have 2 separate windows open as well for powershell. Thank you and have a nice day.

Avatar image for Christopher Trudeau

Christopher Trudeau RP Team on Sept. 14, 2020

Hello MrFord1291,

I think you’ve mixed up the command line parameters. You can either:

$ curl --insecure https://...

or

$ curl --cacert keyfile.pem https://...

The first case tells curl to ignore any certificate problems. This is the equivalent of pressing the “Accept Risk and Continue” button in your GUI browser when you hit a page with a bad cert.

The second case is giving the cert to curl. It looks like you’ve mixed the two of them together.

Hope that helps. …ct

Avatar image for sacsachin

sacsachin on Jan. 24, 2021

Great article.

Avatar image for aniketbarphe

aniketbarphe on Dec. 26, 2021

Thank You!

Become a Member to join the conversation.