I'm pretty newbie in https and my project is MVC web application and i've created a self-signed certificate in IIS and set the website's binding to use that certificate and ssl settings to 'require SSL' and I can browse the website over https (although it's not verified and has red x on it).
The part that I don't understand is when I send a request to server (post request), I can still check the network console and see what was the parameter passed.
I can still check the network console
I assume that you mean the information about the send and received data within the browser with "network console". Since the browser is creating and encrypting the data the browser has access to the clear text before encryption and after decryption and thus can show these information.
Related
I am new to web development and don't fully understand how encryption on the web works. I was messing around with Chrome Dev tools on the site hltv.org. I noticed when I log in it sends a post request to /login with my password and username visible in plain text in the body of the request. Is this information visible to anyone who could intercept the post request or is only visible to me? Do I have a misunderstanding of how the information is encrypted in https requests?
The Chrome DevTools shows the local representation of code and traffic, visible to the browser. You're seeing the POST request your browser is making before it gets encrypted and sent to the server (show in plaintext for debugging and development purposes). It is the browser itself that encrypts your data (using the NSS API in Chromium and Schannel in Windows). This happens before the data leaves your machine, meaning that it will be ecrypted before it ends up on any other machine, even in the case of a man-in-the-middle attack.
No-one else can read this data, assuming:
you do not have any malicious plugins actively installed in your browser
you do not have any malware on your computer that can intercept Trusted Root Certificates
I have an iOS client app which connects to a server using HTTPS.
I've added code in the client to verify the identify of the server.
How can a tester testing this feature test that it is now secure, how can they for example create a MITM situation and check that the client rejects connects etc.?
I've tried googling for how to do this but haven't had much luck.
Can it be done using tools like Charles and proxies etc. or is messing around with a wireless router and having detailed knowledge necessary?
This might be over simplification for your solution, but concepts might help.
A web browsers extracts the name of hosts from embedded certificate and do a comparison of host name that we're trying to connect with. If validation fails, we usually see a security warning. For ex: we can connect with facebook by either typing https://www.facebook.com or by typing https://173.252.100.16/. When we choose second option, we get a security warning.
Your program must be using SSL client socket to connect with HTTPS server. The socket must be having capability to extract the hostname from the embedded certificate. Once you get that, compare that with valid HOST NAME that your program is trying to connect with. If it matches, let request proceed, If not, abandon that session.
To re-create MITM, your web server can use a self signed certificate that can be issue to whatever host name you want, but the IP of server could be 127.0.0.1 (for example). Since there is a mismatch between the host name and actual IP, we can probably simulate the MITM situation.
I'm assuming that digital certificate can't be forged in this case.
I have an application written in Rails that must be ran behind a IIS server due to restrictions by the client, the government. We have to have SSL authentication. So what I can't figure out in my hours of searching Google is how to get IIS to pass the client certificate to the rails server (thin).
I've seen tutorials on Apache that use:
SSLOptions +ExportCertData
Which then make it available to the request object. Any ideas on how to configure IIS to do the same?
At least in the way that you ask the question IIS cannot provide a client certificate as the client cert would be issued by a third party. So you need to get the x509 cert that your application and then the cert is authenticated as part of the initial connection request with iis.
As to the apache function to provide the ssl cert from the server to the client, this functionality is not exposed by iis.
That's why you were not able to find anything on google
The main reason companies want to run Rails(or Other) applications behind an IIS server is for SSO apart from protecting the resources.
See if this helps.
We have been running our Rails app behind IIS at quite a few customer locations. We run our Rails app in JRuby inside Tomcat.
The steps to install the JK ISAPI redirector plugin are here
http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
All Rails contexts are protected in IIS using standard IIS authentication schemes, Integrated Windows Authentication ( Negotiate, NTLM).
Within the Rails app one can get the logged in user's information.
request.env['java.servlet_request'].get_remote_user
The Rails app also connects to Microsoft AD for additional user information like email, department etc.,
Since the Rails is blindly trusting the IIS server for authenticaiton it needs to be prevented from direct access.
1. Disable HTTP ports in Tomcat
2. Enable only the AJP port
3. Add an IP restriction so that it accepts connection only from the IIS server(s)
==
I do not think it is possible for IIS to pass on the certificate details. We tried to extract the Kerboros tokens ( for kerboros authentication delegation ) without much success and realized it is not possible.
After being told this may be impossible. I've finally figured it out! Here are the steps that I took.
Using OpenSSL create your own CA certificate.
Using the generated CA certficate create and sign other certificates with Open SSL.
Open Internet Information Service Manager click on the server, then click on server certificates.
Click Import under the Actions column
After importing click on your site.
In the Actions column click bindings...
Click add, scroll to https, and select the CA certificate that you imported
Click on your site again to get to the menu and click on SSL settings
Check require SSL and then click the radio buttion, require
Click your site again then click on the configuration editor (installed in IIS 7.5 can add-in in 7.0)
Go to system.webServer/security/authentication/iisClientCertificateMappingAuthentication
Set enabled to true
Set manyToOneCertificateMappings to true
Click on the ... box on the far right-end of manyToOneMappings
Click add under actions column, under collections
Add the username and password of the user you created (can be on local machine)
Now, go to the main server and restart.
You should be able to see the certificate using request.headers hash.
Variables for the hash include:
CERT_SERIALNUMBER
CERT_SUBJECT
CERT_ISSUER
HTTPS_SERVER_ISSUER
HTTPS_SERVER_SUBJECT
If you cannot find something you may have to install a module (for like authentication). I don't remember which ones I installed.
I have been using jasig .net cas client. I have setup cas server on my local computer which can be assessed using https://localhost:8443/cas-server-webapp-3.4.12/login
I have set authorize attribute on Account controllers logon action.
i am following everything given in this url https://wiki.jasig.org/pages/viewpage.action?pageId=32210981
when i run the application, it does go to cas login page but after authentication it returns with http://localhost:1672/ and then in browser it gives error as "The page isn't redirecting properly".
i don't know how i am getting this error, everything is setup properly in web.config.
Please help
when i use http://localhost:8080/cas-server-webapp-3.4.12/login (non secure url) instead of https://localhost:8443/cas-server-webapp-3.4.12/login(secure url) it works.
I think i have a problem with self signed certificate. Is it possible to create valid certificate and use it. At least i should try creating a valid certificate and try. But i don't know how to create valid certificate. Please also tell me how to create valid certificate. I tried google but not successful to find how to create valid certificate so that browser doesn't display "self signed certificate error".
For my own experience, other than getting the self-signed cert to work:
I have to install the self-signed cert from the SSO server to my Windows 2008 Server hosting the webapp).
Install the certificate under Trusted Root Cert Authorities on BOTH the user account and the machine account.
You can do this under MMC and then Add the certificate Snap-in.
Test your setup using IE to browse to the sso server in question.You should not see anymore warnings about the cert. Remember use IE to check, other browser does not seem to care about the Trusted Root Cert setup.
Next, when deployed the ASP MVC, I have to use classic Application Pool and
for my cas config setup in web.config leave both the proxyTicketManager and the gatewayStatusCookieName as empty string.
I am connecting directly to the sso server so these two be taken out, or else protocol error and infinite loop.
Then no more infinite redirect loops complains.
I found what the problem was. When we are using secure connection we need to have SSL certificate on both side, at CAS server side and at our webapplication side.
so at CAS server side it has to be
https://localhost:8443/cas-server-webapp-3.4.12/login
and at our web application side it has to be
https://servername/mywebapp
If you are using a self-signed certificate be sure that the server running CAS trusts the certificate of the web application.
you should specify the return url after success login in the web.config (just the server not the entire url)
example: you app is on http://localhost:8080/someWebApp/
when you go to the login page, you can see on the query string parameter the return url encoded
<casClientConfig casServerLoginUrl="https://localhost:8443/cas-server-webapp-3.4.12/login"
casServerUrlPrefix="https://localhost:8443/cas-server-webapp-3.4.12/"
serverName="http://localhost:8080"
notAuthorizedUrl="~/notAuthorized.html"
cookiesRequiredUrl="~/CookiesRequired.html"
redirectAfterValidation="true"
renew="false"
singleSignOut="true"
ticketValidatorName="Cas20"
serviceTicketManager="CacheServiceTicketManager"/>
I'm working on an ios application without authentication. Now I would like to protect my server API from calls other then my ios application. A possible solution would be to have the application generate a unique key (based on the appname and the signing), which is not stored on the device since this is the main problem. I could think off an application logic that does some protection combined with some file encryption but the problem is that somewhere something is stored (ex public key can be stored in keychain but still not safe for my API-hackers).
Anyone any tips/advice on how I can handle this ?
thanks in advance
In short, there is no 100% secure way to make sure that the request comes from your application, if the key is available to the iPhone, it's available to extract from the iPhone.
You can make it reasonably safe by calculating a key runtime from info in the application as you say and communicate it over SSL, but a determined attacker can always reverse engineer the key generation too.
What you want to do is employ mutually-authenticated SSL, so that your server will only accept incoming connections from your app and your app will only communicate with your server.
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. You can use freely available tools for this, like keytool, and I think (but don't know for sure) that Apple includes a tool for this with the iOS SDK. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource. Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
If someone/something other than your app attempts to connect to your server, the SSL connection will not be created, as the server will reject incoming SSL connections that do not present the client certificate that you have included in your app.