9.92 Using HTTPS for building secure web applications v 1.0



Similar documents
Installing an SSL certificate on the InfoVaultz Cloud Appliance

SecuritySpy Setting Up SecuritySpy Over SSL

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Securing Your Apache Web Server With a Thawte Digital Certificate

By default, STRM provides an untrusted SSL certificate. You can replace the untrusted SSL certificate with a self-signed or trusted certificate.

Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience

Protect your CollabNet TeamForge site

CentOS. Apache. 1 de 8. Pricing Features Customers Help & Community. Sign Up Login Help & Community. Articles & Tutorials. Questions. Chat.

Setting Up SSL on IIS6 for MEGA Advisor

Configuration (X87) SAP Mobile Secure: SAP Afaria 7 SP5 September 2014 English. Building Block Configuration Guide

Installation Procedure SSL Certificates in IIS 7

CERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER

To install and configure SSL support on Tomcat 6, you need to follow these simple steps. For more information, read the rest of this HOW-TO.

Secure Communication Requirements

Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server

esync - Receiving data over HTTPS

Enterprise SSL Support

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

Server Certificate: Apache + mod_ssl + OpenSSL

Crypto Lab Public-Key Cryptography and PKI

LoadMaster SSL Certificate Quickstart Guide

10gAS SSL / Certificate Based Authentication Configuration

Apache Security with SSL Using Linux

Apache Security with SSL Using Ubuntu

SSL Interception on Proxy SG

Apache, SSL and Digital Signatures Using FreeBSD

Replacing vcenter Server 4.0 Certificates VMware vsphere 4.0

Generating a Certificate Signing Request (CSR) from LoadMaster

To enable https for appliance

Ciphermail Gateway Separate Front-end and Back-end Configuration Guide

Securing the OpenAdmin Tool for Informix web server with HTTPS

Domino and Internet. Security. IBM Collaboration Solutions. Ask the Experts 12/16/2014

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

Basics of SSL Certification

MassTransit 6.0 Enterprise Web Configuration for Macintosh OS 10.5 Server

A guide to https and Secure Sockets Layer in SharePoint Release 1.0

1 of 24 7/26/2011 2:48 PM

How to: Install an SSL certificate

COMP 3704 Computer Security

User s guide. APACHE SSL Linux. Using non-qualified certificates with APACHE SSL Linux. version 1.3 UNIZETO TECHNOLOGIES S.A.

e-cert (Server) User Guide For Apache Web Server

IBM Security QRadar Version (MR1) Replacing the SSL Certificate Technical Note

Application Note AN1502

Configuring Secure Socket Layer (SSL)

HP Device Manager 4.7

Red Hat Linux Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

SSL Configuration Best Practices for SAS Visual Analytics 7.1 Web Applications and SAS LASR Authorization Service

Installing an SSL Certificate Provided by a Certificate Authority (CA) on the BlueSecure Controller (BSC)

DMH remote access. Table of Contents. Project : remote_access_dmh Date: 29/05/12 pg. 1

Encryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1

A Proper Foundation: Extended Validation SSL

Implementing HTTPS in CONTENTdm 6 September 5, 2012

Forward proxy server vs reverse proxy server

Sun Java System Web Server 6.1 Using Self-Signed OpenSSL Certificate. Brent Wagner, Seeds of Genius October 2007

SSL Tunnels. Introduction

QualitySSL by BitEngines Nellikevaenget Vallensbaek Denmark. WWW:

Certificate technology on Pulse Secure Access

Table of Contents GEEK GUIDE APACHE WEB SERVERS AND SSL AUTHENTICATION

Talk Internet User Guides Controlgate Administrative User Guide

Apache SSL Certificate Deployment Guide

Tel: Tel: +44 (0) Comodo Group.

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Apache HTTP Server

Secure Socket Layer (SSL) Machines included: Contents 1: Basic Overview

Securing Web Access with a Private Certificate Authority

GlobalSign Solutions

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

>copy openssl.cfg openssl.conf (use the example configuration to create a new configuration)

The system is available to the holders of Medicover cards entitled to examinations and consultations in Medicover Centres.

IFS CLOUD UPLINK INSTALLATION GUIDE

Exercises: FreeBSD: Apache and SSL: SANOG VI IP Services Workshop

CHAPTER 7 SSL CONFIGURATION AND TESTING

Best Practices in Hardening Apache Services under Linux

Replacing VirtualCenter Server Certificates VMware Infrastructure 3

TIBCO Spotfire Platform IT Brief

Setting Up SSL From Client to Web Server and Plugin to WAS

Certificate technology on Junos Pulse Secure Access

Cisco SSL Encryption Utility

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

Laboratory Exercises VI: SSL/TLS - Configuring Apache Server

Security IIS Service Lesson 6

How to Implement Two-Way SSL Authentication in a Web Service

Strong Security in Multiple Server Environments

Proto Balance SSL TLS Off-Loading, Load Balancing. User Manual - SSL.

EMC Data Protection Search

Installing an SSL Certificate Provided by a Certificate Authority (CA) on the vwlan Appliance

What is an SSL Certificate?

Security Workshop. Apache + SSL exercises in Ubuntu. 1 Install apache2 and enable SSL 2. 2 Generate a Local Certificate 2

How to configure SSL proxying in Zorp 3 F5

PowerChute TM Network Shutdown Security Features & Deployment

HTTPS Configuration for SAP Connector

unigui Developer's Manual 2014 FMSoft Co. Ltd.

Smart Policy - Web Collector. Version 1.1

NSi Mobile Installation Guide. Version 6.2

Installing Dspace 1.8 on Ubuntu 12.04

Transcription:

2006-12-19 LiTH 9.92 Using HTTPS for building secure web applications v 1.0 Jonas Krogell Abstract Today most websites on the Internet uses normal HTTP for displaying the data for the visitors/users. HTTP is a unsecure protocoll, for which it is possible to inject data, eavesdrop and do man-in-the-middle-attacks on. To solve this problem HTTPS was developed. HTTPS provides normal HTTP with a encryption and authentication layer. This document describes how to use HTTPS and do a simple setup using Apache and OpenSSL. 9.92 Using HTTPS for building secure web applications v 1.0 1

Field of application 1 Field of application When building a web application security is offen a critical point. There are many examples of software companys building a massive web application and put alot of effort in doing it secure, but in the end it stills run on normal HTTP which is vunerable to several attacks which is easy for an attacker to do and exploit the whole system. The most vunerable point in normal HTTP is when building a system where user accounts and passwords are used. These passowrds needs to be transfered from the clients web-browser to the web-server in a secure way so intruders cant eavesdrop and steal the accounts. Using HTTPS may prevent eavesdropping if used in a correct way. One other common problem when using web applications is if we can thrust the web application to be the one it says it is. When visiting a normal web site with HTTP there is no check that the site you see is really the one you have requested. HTTPS solves this problem with introducing certificates. The certificates works as an proof of identity for the server and is used to exchange information about encryption. If the system in mind dont need any form of protection, for example, its a read-only system where there is no personal user accounts and the users cant really do anything that could harm the system and the data presented to the users does not need to be verified for correctness. In this case HTTPS does not fullfill any needs and is just a waste of computer resources and time, but in reality there is always some kind of need for integrity and confidentiality. 2 9.92 Using HTTPS for building secure web applications v 1.0

Prerequisites 2 Prerequisites To be able setting up a web site using HTTPS we of course need a server which support this. Under the realization-part of this document it will be explained how to install a Apache-server with HTTPS-support. This is one of the most commonly used web servers on Internet today. One very important step when using HTTPS is to handle the certificates in a correct way and get them signed. How this is done is explained in chapter 3.1. 9.92 Using HTTPS for building secure web applications v 1.0 3

Realizaition 3 Realizaition Setting up a HTTPS-server is a two-step process. First you need to get a valid certificate, then you install in on the server. This realization will be about how this is done with OpenSSL and Apache version 2. 3.1 Certificate and key managment The first thing that needs to be done is to generate a certificate request (req) and a keyfile. openssl req -new -nodes -keyout domain.com.key -out domain.com.csr The keyfile is to be keept private and should be left as it is. Now we need to sign the certificate, here we basicly have two choices. One is to self-sign it and the other one is to get it signed by a third thrusted part. To do a self-sign is free, but then all possible clients to the server need to verify the certificate to be correct - else all security is lost. The other choice, to get it signed by a already thrusted part is recomended in most cases. There are many big companys who are ready to sign your certificate, but this is not a free service and prices may vary. This can probably be done from $100 and up. One of the biggest companys, and most well know is VeriSign. When choosing a certificate signing service the most important part is to check is if the root certificate the company will sign with is pre-installed in the majority of the modern browsers, otherwise the signing wont be very usefull for the end-users unless they manually install the root certificate. A good choice for many PUM-projects may be to get their certificate signed by Linköpings Universitet. LiU provides a free signing service, but there are some regulations about who can grant a signing from LiU. To find out if you qualify and what to do, visit the homepage of Linköpings Universitet CA (http://ca.liu.se). All signing processes involves a few basic steps, these are: Setting up an agreement on what grounds the signing builds on Verification of the identification of the part wanting a sign Secure transfer of the certificate file between the parts The signing process ends when you have recieved a signed certificate file from the signing part. Do notice that all certificates do have a limited time of life before they need to be renewed. If a self-sign is desired the following OpenSSL commands is issued: 4 9.92 Using HTTPS for building secure web applications v 1.0

Realizaition openssl req -in domain.com.csr -signkey domain.com.key -out domain.com.cert Now we have a certificate file that is somehow signed and a private keyfile. Be shure to protect the keyfile well, for example by setting correct file permissions: chmod 400 domain.key 3.2 Setting up apache to use the certificate To set up apache to use the correct certificate files and use SSL the following lines of configuration is needed in httpd.conf: SSLEngine on SSLCertificateFile \ /usr/local/certs/domain.com.cert SSLCertificateKeyFile \ /usr/local/certs/domain.com.key Of course its important that the paths to the certificate and keyfile are correct. Now only a restart of apache should be needed and everything should be up running. How this is done is of course very system specific. 3.3 Optional HTTP -> HTTPS redirect It may be wanted that people visiting the site using HTTP should be redirected to use HTTPS instead. This can for example be done automatically with the following setup for apache using the rewrite engine: RewriteEngine On RewriteRule ^/(.*) https://domain.com/$1 This config will send all requests to the correct domain using HTTPS. 9.92 Using HTTPS for building secure web applications v 1.0 5

Results 4 Results 4.1 Expected result When visiting a HTTPS-enabled web site the browser should some how indicate that HTTPS is used, usualy this is done by showing a padlock in the right corner of the browser, the URL-bar might also change color from white to yellow. But these indicators are highly browser specific. When visiting a site with a self-signed certificate there should appear a warning that tells the user that the site is using a unkown certificate. To solve this problem the certificate needs to be verifyed to be correct and then added to the users browser.templates and forms 5 Verification of the results To verify that the actual data is going on over HTTPS a network traffic analysis tool might be used, for example wireshark. To do this start wireshark and start a traffic dump. Then visit the HTTPS site from the computer running wireshark. Now you should be able to follow the flow of data in wireshark. The dataflow should in short be something like this: First a SSL-hello should be sent from client to server The server responds with a certificate and a encryption-key The client answare with a encryption-key Data begins to transfer in encrypted form After a correct SSL-handshake and exchange of encryption-keys all data should go encrypted and should be unreadable without knowing the correct private keys. If data after the handshake still is in clear text the HTTPS-installation somehow has failed. 6 Examples with explanations Section not applicable to this process. 6 9.92 Using HTTPS for building secure web applications v 1.0

Solutions to common problems 7 Solutions to common problems Becouse of the fact that HTTPS is HTTP with a encryption layer it will use much more CPU which may affect the performance of the web server. Solutions to this problem is to get a new server or to use a SSL-accelerator. To use shorter certificates then 128-bits becouse they need less CPU are not recomended due to the fact that they are very easy to break for an intruder. 8 Adjustment to the PUM-course Section not applicable to this process. 9 Measurements of the process To install a web server using HTTPS should be a fairly simple and fast process, and if the server has enough RAM and CPU there is really no excuse to not use HTTPS. 10 History of the process 2006-12-14 Process started by Jonas Krogell 11 Changes not yet attended to Explain how to set up other web servers like Microsoft IIS for HTTPS. More details on how to sign and get certificates signed by authoritives. Explain about client certificates and how they are used. 9.92 Using HTTPS for building secure web applications v 1.0 7

References 12 References http://ca.liu.se - Linköping Universitet CA This is the web page for applications for certificate signs on LIU http://www.apache.org - The Apache Software Fundation Homepage for the Apache project, a HTTPS server http://www.openssl.org - The Open Source toolkit for SSL/TLS A toolkit for generating certificates http://www.verisign.com - VeriSign A company who sign certificates 8 9.92 Using HTTPS for building secure web applications v 1.0

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information