Exploring HTTPS and Cryptography in Python (Summary)
In this course, you’ve learned some of the core underpinnings of secure communications on the Internet today. Now that you understand these building blocks, you’ll become a better and more secure developer.
Throughout this course, you’ve gained an understanding of several topics:
- Cryptography
- HTTPS and TLS
- Public Key Infrastructure
- Certificates
Here are resources for more information on the topics discussed in this course:
- Python Cryptography: Read the Docs
- OpenSSL: Cryptography and SSL/TLS Toolkit
- History of cryptography - Wikipedia
- TLS: Transport Layer Security - Wikipedia
- RSA: (Rivest–Shamir–Adleman) Cryptosystem - Wikipedia
- Modular Arithmetic - Wikipedia
- How does RSA work? - Hackernoon
- Socket Programming in Python - Real Python article
- Running Your Flask Application Over HTTPS - Miguel Grinberg
00:00 Thanks for sticking with me this far! This course has talked about HTTPS, I showed you how to build a simple Flask server, the basics behind cryptography, how to strengthen your server using Fernet ciphers, why asymmetric key exchange and public and private keys are important, how to write code in Python to be a Certificate Authority, using the certificates generated by your Certificate Authority to host a Flask server using HTTPS, and now, I’m going to talk about a couple of simpler ways of generating those certificates and provide you with some further reading.
00:36
This course has taught the long way around as to how to get certificates. I did that in the hope that you’d have a better understanding of how the pieces fit together. In real life, if you need one of these certificates, there’s usually ways around it. First off, if you’re developing in Flask it has an 'adhoc'
mode. Inside of your code, instead of setting the ssl_context
to be the public and private keys, you can set it to the keyword 'adhoc'
. Flask will start the server, it’ll listen on HTTPS correctly, and it will generate a certificate on the fly.
01:10
The problem with 'adhoc'
mode is there’s no CA signing cert. That means you’ll get a warning message, like this one from Firefox, telling you that the certificate is invalid.
01:21
If you’re just trying to test your code in HTTPS, you can accept the risk and continue. Similarly, curl
has --insecure
. Using this parameter, you can tell it to ignore whatever certificates come down and just assume they’re valid. Using the Flask 'adhoc'
mechanism and curl
’s --insecure
parameter, you can skip past all of the certificate generation steps that I showed you in the sixth and seventh lessons. Alternatively, there’s an open-source library called OpenSSL.
01:52 It provides tools for using SSL and TLS. It’s available here.
01:58
This rather long command line asks OpenSSL to generate a certificate. As you read through it, you’ll probably notice some phrases that are familiar. It’s asking for an X.509 certificate, it’s asking to use an RSA key to create it. -out cert.pem
and -keyout
key.pem
are the public and private certificate files.
02:20 This single command does what several hundred lines of code in the examples did.
02:26
The questions that openssl
will ask you when you run this command are the same as the answers you would need to fill in the make_x509_name()
name function in the utils
file.
02:37
The output is a public certificate—in the previous command, it was named cert.pem
—and a private key—in the previous command it was named key.pem
.
02:46
These are the equivalent of server-public-key
and server-private-key
PEM files in your code. Essentially what you did in the Python in this lesson is write a subset of what openssl
provides for you. For your reference, here’s some links to some of the tools I’ve talked about in this course.
03:04
lsof
is the list open files command. I used it to look at the open ports on my machine. There’s a good how-to guide as to how to use that. nmap
was the port scanner, which is available here.
03:17
netstat
is the Windows equivalent of lsof
. You can find out more information on it here. This is the Python cryptography
documentation, Flask’s documentation, the OpenSSL tool, and finally, Wireshark. If you want to drill down more, here’s some suggested reading.
03:37 You can get more information on the history of cryptography through the Wikipedia page.
03:42 Wikipedia is also a great place for learning about TLS and RSA. Not done yet! You can drill down on modular arithmetic inside of Wikipedia, as well.
03:53 And finally, this is an excellent article on how RSA works. I borrowed the numbers in my math explanation from his page. It saved me a lot of work.
04:02 If you’re interested in the TCP layer and how sockets work, you can get more information on socket programming in Python in this article. Finally, you can get more information on using Flask and HTTPS together by reading Miguel Grinberg’s blog post. Before signing off, I would just like to acknowledge elconomeno, oksmith, and Lad Fury.
04:23 They all contributed to the public domain with images, and thankfully to them, you didn’t have to see my crayon-based stick figure drawings.
04:32 Thanks for your attention. I hope you’ve enjoyed the course.
Christopher Trudeau RP Team on Sept. 14, 2020
Hello MrFord1291,
I think you’ve mixed up the command line parameters. You can either:
$ curl --insecure https://...
or
$ curl --cacert keyfile.pem https://...
The first case tells curl to ignore any certificate problems. This is the equivalent of pressing the “Accept Risk and Continue” button in your GUI browser when you hit a page with a bad cert.
The second case is giving the cert to curl. It looks like you’ve mixed the two of them together.
Hope that helps. …ct
sacsachin on Jan. 24, 2021
Great article.
aniketbarphe on Dec. 26, 2021
Thank You!
Become a Member to join the conversation.
mrford1291 on Sept. 14, 2020
Hi, first let me say thank you.
I ran
And then I tried to run curl and I got
Why is that? I have 2 separate windows open as well for powershell. Thank you and have a nice day.