Stop the MitM Attacks! Use Encryption!
So I’ve been having fun with Amazon’s Developer Services for user authentication. In order to get the darn thing working, Amazon requires your server to use HTTPS. This isn’t a bad thing but in order to have HTTPS, you need to get a valid certificate. Now it’s easy to create a certificate (see below) however, not as easy to get a trusted certificate. Trusted certificates are those that are authenticated by a Certificate Authority or CA. I wouldn’t really trust a self-authenticated certificate. Reminds me of online dating where everyone lies, you kind of want a third party, reliable source to tell you the truth.
Here is the process to create a certificate request or CSR:
The below uses Openssl (this is native on a lot of Linux distributions, IIS on Windows handles these things differently)
Generate a RSA encrypted private key
openssl genrsa –out gen.key 2048
Create a CSR for the key
openssl req –new –key gen.key –out key.csr
Answer all the questions, leave the password blank, it’s not needed.
To get it approved:
Remove RSA passphrase, if you don’t, the server you are running will require it upon each request
openssl rsa -in gen.key -out server.key
Generate a Year Long Certificate
openssl x509 -req -days 365 -in key.csr -signkey server.key -out key.crt
Take it to a company such as Verisign, Thawte and RapidSSL.
Wrap it Up
You now have a certificate that can be included in your server configuration. Check your documentation for the correct implementation. There are too many server variations out there for me to describe the process.
So why do we care about HTTPS?
Well it’s secure! HTTPS stands for Hypertext Transfer Protocol Secure and utilizes SSL/TLS protocol to lockdown communications. It is used to prevent man-in-the-middle attacks with the use of encryption (preventing some of the attacks in the ettercap post). If your data is encrypted, little hacker man can’t read it. This is why whenever you are entering in confidential information, look for “https://” in the URL, else your private data is being broadcasted in clear text (there was an ettercap attack mentioned in my last post that removed the security from a Facebook form, changing the login URL from HTTPS to HTTP… be warned).
Explanation of the SSL/TLS process:
- Client browses to a secure site (HTTPS)
- Hosting server sends its certificate and public key to requesting client
- The client’s browser checks the server’s certificate (Looks to see if it comes from a trusted CA, relates to the correct sire, and is currently valid) – This is why you should pay attention to browser warnings, it may be trying to prevent you from going to an untrusted site.
- The browser uses the public key to encrypt a random symmetric encryption key and sends it to the server
- The server decrypts the key using its private key, the following communication between hosts is encrypted with the symmetric key
- Once communications have concluded, the symmetric key is discarded
The Public Key is available to anyone and anything that wants it. Anyone can retrieve it from the server. That’s all fine and dandy. The Private Key, on the other hand, is kept a secret and only the owner knows it. These keys are mathematically related, whatever is encrypted with a Public Key can only be decrypted by its corresponding Private Key. So even though a hacker can get the Public Key, he/she cannot decrypted the SSL/TLS communications because they do not have the Private Key.
So here is an example of how it all works. Jack wants to send a secret message to Jill, he doesn’t want anyone else to read the message. So Jack,encrypts his message with Jill’s Public Key. Jill is cool with giving out her Public Key to anyone who wants it because it is after all public. Jill is the only person who can decrypt the Public Key because she is the only one with its corresponding Private Key. So now Jack’s message can only be read by Jill. Even if hacker Todd gets a hold of the encrypted data, he can’t read it because he doesn’t have the decryption or Private key.