Ensuring Correct Encryption

Encryption prevents an attacker from intercepting traffic sent between you and your users. It is cheap and easy to implement, and an absolute necessity when transmitting sensitive data.

Risks

Prevalence Occasional
Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354
Exploitability Difficult
Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b
Impact Devastating
Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd

Insecure Wi-Fi hotspots, as illustrated in our exercise, are just one way enterprising hackers have found to take advantage of unencrypted communication. They may also try to sniff traffic within your network, and if they get access, inspect traffic going through compromised edge devices.

Any point between your server and the user’s browser is a potential weak-spot. Given the non-deterministic nature of internet routing, a lot of opportunities present themselves to an enterprising attacker.

Protection

Buy a certificate, install it, and configure your web server to use it.

It’s really as simple as that. Web servers are typically able to serve the same content over HTTP (on port 80) and HTTPS (on port 443). Any non-trivial website should use HTTPS. Facebook and Twitter use HTTPS by default, and this a good example to follow.

But make sure you know how to force your web server to elevate to a secure connection, and do so whenever a user is authenticating or establishing a session. A common way of enforcing this is to make sure that cookies are set to secure – that way, sessions can only be established over HTTPS.

If you are looking to add or renew a security certificate, Let's Encrypt is a quick and easy way to install one. The project - sponsored by Mozilla, Facebook, and the Electronic Frontier Foundation - aims to make encryption ubiquitous across the web by eliminating payment, web server configuration and certificate renewal tasks. We highly recommend you take a look!

Code Samples

The code samples below illustrate how to elevate traffic to an HTTPS connection in various set-ups.

It is fairly common to put Apache or Nginx between your web server and the outside world. If you have this setup, it is very easy to redirect HTTP requests to use HTTPS. In Apache, a rewrite rule would look as follows:


RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [QSA,NC,R,L]

The equivalent in Nginx is:


server {
  listen 80;
  rewrite ^(.*) https://$host$1 permanent;
}

Django

To force Django to use HTTPS, the easiest way is to install the django-sslify module. To make sure that cookies are only transmitted over secure connections, include the following option in your config:


SESSION_COOKIE_SECURE = True

Rails

Set the option config.force_ssl to true to ensure traffic travels over HTTPS in a particular environment.

In your web.xml, set the following option to ensure cookies are only transferred over HTTPS:


<session-config>
  <cookie-config>
    <secure>true</secure>
  </cookie-config>
</session-config>

Tomcat

See here for instructions on how to configure SSL in Tomcat.

See here for a comprehensive overview of how to configure and use HTTPS in ASP.NET.

Further Reading

Configuring HTTPS in Django.

Does your website use encryption correctly?

Netsparker n 834848961a0bf6ec5556448ff47f421d0b1204a572877a59717064b1088e8c43 Check today. Scan your website for Unencrypted Communication and other vulnerabilities with the Netsparker Web Application Security Scanner.