Ensuring Correct Encryption

Encryption prevents an attacker from intercepting traffic sent between you and your users. It is cheap and easy to implement, and an absolute necessity when transmitting sensitive data.

Risks

Prevalence Occasional
Exploitability Difficult
Impact Devastating

Insecure Wi-Fi hotspots, as illustrated in our exercise, are just one way enterprising hackers have found to take advantage of unencrypted communication. They may also try to sniff traffic within your network, and if they get access, inspect traffic going through compromised edge devices.

Any point between your server and the user’s browser is a potential weak-spot. Given the non-deterministic nature of internet routing, a lot of opportunities present themselves to an enterprising attacker.

Protection

Buy a certificate, install it, and configure your web server to use it.

It’s really as simple as that. Web servers are typically able to serve the same content over HTTP (on port 80) and HTTPS (on port 443). Any non-trivial website should use HTTPS. Facebook and Twitter use HTTPS by default, and this a good example to follow.

But make sure you know how to force your web server to elevate to a secure connection, and do so whenever a user is authenticating or establishing a session. A common way of enforcing this is to make sure that cookies are set to secure – that way, sessions can only be established over HTTPS.

If you are looking to add or renew a security certificate, Let's Encrypt is a quick and easy way to install one. The project - sponsored by Mozilla, Facebook, and the Electronic Frontier Foundation - aims to make encryption ubiquitous across the web by eliminating payment, web server configuration and certificate renewal tasks. We highly recommend you take a look!

Code Samples

The code samples below illustrate how to elevate traffic to an HTTPS connection in various set-ups.

It is fairly common to put Apache or Nginx between your web server and the outside world. If you have this setup, it is very easy to redirect HTTP requests to use HTTPS. In Apache, a rewrite rule would look as follows:


RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [QSA,NC,R,L]

The equivalent in Nginx is:


server {
  listen 80;
  rewrite ^(.*) https://$host$1 permanent;
}

Django

To force Django to use HTTPS, the easiest way is to install the django-sslify module. To make sure that cookies are only transmitted over secure connections, include the following option in your config:


SESSION_COOKIE_SECURE = True

Rails

Set the option config.force_ssl to true to ensure traffic travels over HTTPS in a particular environment.

In your web.xml, set the following option to ensure cookies are only transferred over HTTPS:


<session-config>
  <cookie-config>
    <secure>true</secure>
  </cookie-config>
</session-config>

Tomcat

See here for instructions on how to configure SSL in Tomcat.

See here for a comprehensive overview of how to configure and use HTTPS in ASP.NET.

Further Reading