Encryption prevents an attacker from intercepting traffic sent between you and your users. It is cheap and easy to implement, and an absolute necessity when transmitting sensitive data.
Risks
Insecure Wi-Fi hotspots, as illustrated in our exercise, are just one way enterprising hackers have found to take advantage of unencrypted communication. They may also try to sniff traffic within your network, and if they get access, inspect traffic going through compromised edge devices.
Any point between your server and the user’s browser is a potential weak-spot. Given the non-deterministic nature of internet routing, a lot of opportunities present themselves to an enterprising attacker.
Protection
Buy a certificate, install it, and configure your web server to use it.
It’s really as simple as that. Web servers are typically able to serve the same content over HTTP (on port 80) and HTTPS (on port 443). Any non-trivial website should use HTTPS. Facebook and Twitter use HTTPS by default, and this a good example to follow.
But make sure you know how to force your web server to elevate to a secure
connection, and do so whenever a user is authenticating or establishing a
session. A common way of enforcing this is to make sure that cookies are set to
secure
– that way, sessions can only be established over HTTPS.
Code Samples
The code samples below illustrate how to elevate traffic to an HTTPS connection in various set-ups.
Reverse Proxies
It is fairly common to put Apache or Nginx between your web server and the outside world. If you have this setup, it is very easy to redirect HTTP requests to use HTTPS. In Apache, a rewrite rule would look as follows:
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [QSA,NC,R,L]
The equivalent in Nginx is:
server {
listen 80;
rewrite ^(.*) https://$host$1 permanent;
}
Python
Django
To force Django to use HTTPS, the easiest way is to install the
django-sslify
module. To make sure that cookies are only transmitted over secure connections,
include the following option in your config:
SESSION_COOKIE_SECURE = True
Ruby
Rails
Set the option config.force_ssl
to true to ensure
traffic travels over HTTPS in a particular environment.
Java
In your web.xml, set the following option to ensure cookies are only transferred over HTTPS:
<session-config>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>
Tomcat
See here for instructions on how to configure SSL in Tomcat.
.NET
See here for a comprehensive overview of how to configure and use HTTPS in ASP.NET.