{"id":545,"date":"2014-01-15T16:23:46","date_gmt":"2014-01-15T23:23:46","guid":{"rendered":"http:\/\/somethingk.com\/main\/?p=545"},"modified":"2014-01-19T18:23:07","modified_gmt":"2014-01-20T01:23:07","slug":"stop-the-mitm-attacks-use-encryption","status":"publish","type":"post","link":"https:\/\/somethingk.com\/main\/stop-the-mitm-attacks-use-encryption\/","title":{"rendered":"Stop the MitM Attacks! Use Encryption!"},"content":{"rendered":"

So I\u2019ve been having fun with Amazon\u2019s Developer Services<\/a> for user authentication. In order to get the darn thing working, Amazon requires your server to use HTTPS. This isn\u2019t a bad thing but in order to have HTTPS, you need to get a valid certificate. Now it\u2019s easy to create a certificate (see below) however, not as easy to get a trusted certificate. Trusted certificates are those that are authenticated by a Certificate Authority or CA. I wouldn\u2019t really trust a self-authenticated certificate. Reminds me of online dating where everyone lies, you kind of want a third party, reliable source to tell you the truth.<\/p>\n

\"lafawnduh\"<\/a><\/p>\n

Here is the process to create a certificate request or CSR:<\/b><\/p>\n

The below uses Openssl (this is native on a lot of Linux distributions, IIS on Windows handles these things differently<\/a>).<\/p>\n

Generate a RSA encrypted private key<\/p>\n

openssl genrsa \u2013out gen.key 2048<\/pre>\n
Create a CSR for the key<\/p>\n
openssl req \u2013new \u2013key gen.key \u2013out key.csr<\/pre>\n
Answer all the questions, leave the password blank, it\u2019s not needed.<\/p>\n
To get it approved:<\/b><\/p>\n
Self (Untrusted\u2026lame)<\/span><\/p>\n
Remove RSA passphrase, if you don\u2019t, the server you are running will require it upon each request<\/p>\n
openssl rsa -in gen.key -out server.key<\/pre>\n
Generate a Year Long Certificate<\/p>\n
openssl x509 -req -days 365 -in key.csr -signkey server.key -out key.crt<\/pre>\n
Trusted<\/span><\/p>\n
Take it to a company such as Verisign<\/a>, Thawte<\/a> and RapidSSL<\/a>.<\/p>\n
Wrap it Up<\/strong><\/p>\n
You now have a certificate that can be included in your server configuration. Check your documentation for the correct implementation. There are too many server variations out there for me to describe the process.<\/p>\n
\"\"<\/a><\/p>\n
So why do we care about HTTPS?<\/b><\/p>\n
Well it\u2019s secure! HTTPS stands for Hypertext Transfer Protocol Secure and utilizes SSL\/TLS protocol to lockdown communications. It is used to prevent man-in-the-middle attacks with the use of encryption (preventing some of the attacks in the ettercap post<\/a>). If your data is encrypted, little hacker man can\u2019t read it. This is why whenever you are entering in confidential information, look for \u201chttps:\/\/\u201d in the URL, else your private data is being broadcasted in clear text (there was an ettercap attack mentioned in my last post that removed the security from a Facebook form, changing the login URL from HTTPS to HTTP\u2026 be warned).<\/p>\n
\"\"<\/p>\n
Explanation of the\u00a0SSL\/TLS\u00a0process:<\/b><\/p>\n
    \n
  1. Client browses to a secure site (HTTPS)<\/li>\n
  2. Hosting server sends its certificate and\u00a0public<\/b>\u00a0key\u00a0to requesting client<\/li>\n
  3. The client\u2019s browser checks the server\u2019s certificate (Looks to see if it comes from a trusted CA, relates to the correct sire, and is currently valid)\u00a0\u2013 This is why you should pay attention to browser warnings, it may be trying to prevent you from going to an untrusted site.<\/li>\n
  4. The browser uses the public key to encrypt a random symmetric encryption key and sends\u00a0it\u00a0to the server<\/li>\n
  5. The server decrypts the key using its\u00a0private<\/b>\u00a0key,\u00a0the\u00a0following communication between hosts is encrypted with the symmetric key<\/li>\n
  6. Once communications have concluded, the symmetric key is discarded<\/li>\n<\/ol>\n
    The Public Key is\u00a0available to anyone and anything that wants it.\u00a0Anyone can retrieve it from the server. That\u2019s all fine and dandy.\u00a0The Private Key, on the other hand,\u00a0is kept a secret and only the owner knows it.\u00a0These keys are\u00a0mathematically related, whatever is encrypted with a Public Key can only be decrypted by its corresponding Private Key.\u00a0So even though a hacker can get the Public Key, he\/she cannot decrypted the SSL\/TLS communications because they do not have the Private Key.<\/p>\n
    So here is an example of how it all works.\u00a0Jack\u00a0wants to\u00a0send a secret message to\u00a0Jill,\u00a0he doesn\u2019t want anyone else to read the message. So Jack,encrypts\u00a0his message\u00a0with\u00a0Jill’s Public Key.\u00a0Jill is cool with giving out her Public Key to anyone who wants it because it is after all public.\u00a0Jill is the only person who can decrypt the Public Key because she is the only one with its corresponding Private Key. So now Jack\u2019s message can only be read by Jill.\u00a0Even if\u00a0hacker Todd gets a hold of the\u00a0encrypted data, he can\u2019t read it because he doesn\u2019t have the decryption or Private key.<\/p>\n
    \"\"<\/a><\/p>\n
    Crazy security\u2026<\/p>\n","protected":false},"excerpt":{"rendered":"
    So I\u2019ve been having fun with Amazon\u2019s Developer Services for user authentication. In order to get the darn thing working, Amazon requires your server to use HTTPS. This isn\u2019t a bad thing but in order to have HTTPS, you need to get a valid certificate. Now it\u2019s easy to create a certificate (see below) however, not as easy to get […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[43,36,93,24],"tags":[133,132,131,87,123,130,135,134,128,129],"class_list":["post-545","post","type-post","status-publish","format-standard","hentry","category-exploit","category-network-capture","category-networking","category-penetration-testing","tag-ca","tag-certificates","tag-csr","tag-encryption","tag-ettercap","tag-https","tag-private-key","tag-public-key","tag-ssl","tag-tls"],"_links":{"self":[{"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/posts\/545","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/comments?post=545"}],"version-history":[{"count":5,"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/posts\/545\/revisions"}],"predecessor-version":[{"id":551,"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/posts\/545\/revisions\/551"}],"wp:attachment":[{"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/media?parent=545"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/categories?post=545"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/somethingk.com\/main\/wp-json\/wp\/v2\/tags?post=545"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}