December 2020

by Veli Tasalı   ·   Dec. 24, 2020

uprotocol encryption education

December 2020

December 2020

I haven't been productive on this side of my life, that is, the computers and such. For the last three months, I have been dealing with the school and, even though I have had time to work on my other projects, I chose not to do so because I know, once I wrap my head around it, the school will not seem as important. However, I still worked on small projects.

I created a blog for the classes I attend to follow them more easily 1. I was able to create a summary post for each one of them. As you might have guessed, to summarize a topic, you first need to understand it, requiring more time. They were also overlapping the next day as I wasn't able to complete them. After three weeks, I decided to stop. Now, I only visit the project when I need to review older topics.

Since the summer of 2019, I am inside and, thanks to the virus, nothing was able to challenge that. I am attending classes remotely. We are heavily relying on Zoom, and now, it works good enough that I fail to see why we would return to the old style of education. Some complain that it is exhausting to always stay at home, and I understand them. Nevertheless, I should also say that I like this and am willing to close this season as is, that is, away and cold rather than close and cold, which, you know, is always the case with universities. Previously, I would think that universities can enable those who think alike to work together. Now, I don't see why I would waste any more time to slow down my education with unnecessary quirks. The more I feel this, the more I can complete the tasks given. Let us be honest here. Universities are cold, and the relationships built in them are of necessity rather than a kind reaction. Honestly, I think trying to see it otherwise seems incompatible with reality.

Now that I complained about universities, it is time to talk about my other ongoing efforts.

Recently, I have been working on encryption methods, and I am finally starting to understand how we can put a secure communication method in place. There are two methods. The first is where you know who you will be talking to, and the second is where you will never know who you are talking to, but rather only clients will know who you are and will be able to confirm that with the info you provide.

With the first method, you can have the certificate the server will provide. Using this certificate, you can establish a secure connection. For instance, you and the rest talking to the server will have the public key, and the server will have the private one. When the server sends you data, you can decrypt it with the public key, but you cannot decrypt the data back once you encrypt because only the private key can do that.

In the second method, the server will send you a certificate every time a new connection establishes. However, there will be a trick to it. A certificate authority signed by a root CA (certificate authority) will sign it to ensure that it is not some random guy saying, "Dude, just trust me!". That is the commonly used method and obviously the most secure one. Root CA (certificate authority) certificates are valid for long periods and are issued rarely because these are the types authorizing Let's Encrypt, for instance.

One can also have a self-signed certificate with no parent authorization or an organization outside of the global trust chain. However, we consider it a bad practice because it assumes that clients will know what they are doing. For instance, when you visit a website with an invalid certificate, your browser will most certainly warn you about it because the certificate may no longer be valid or may have an untrusted CA. In that case, the browser will want to stop you but will not prevent you from proceeding since it will also assume that it may be a self-signed certificate. Browsers put you through this because they think that you are experiencing a man-in-middle attack. In this type of attack, hackers trick you into thinking you arrive at the IP address when, in reality, you do not. CAs and certificates come into use in these types of scenarios. You can always verify that you are talking to who you expect.

Still, one should not confuse encryption with authentication. You may want to have encryption but not authentication. In that case, self-signed certificates will help you achieve some degree of security. That is why you will occasionally see some routers with SSL supported web interfaces. They know that they can't issue individual certificates to every router, but they still want to protect you.

From what I have read so far, these are the basics. I am still trying to find ways to implement encryption in uprotocol. I will hopefully achieve that.


  1. The blog I created for the classes I attend, https://notes.velitasali.com