I have a Rails WebServer based on REST API
I have a AngularJS app, which connects to this WebServer
What is the best way to encrypt login and password on client side and decrypt these credentials on server side?
If you are using RSA you have to have keys in the browser. The keys can't get to the browser unless they go over the unsecured HTTP connection. If an attacker has the keys by sniffing the HTTP connection, and the algorithm from your javascript code, you aren't protecting anything since decrypting your traffic becomes trivial.
I suggest putting an nginx proxy in front of your web server. You can configure nginx to do the TLS handshake, and you can get a Comodo SSL certificate for less than $15 a year. I've done this myself in front of a Python server and truly, that's all it cost.
I've just decided to use http://travistidwell.com/jsencrypt/index.html in way when I store public server key on client side and private server key on server side.
JS client encrypts all messages that are send to server.
The best way, as mentioned by Geoff Genz, is to secure your web server with HTTPS and ensuring that your login action only accepts requests through HTTPS. Configure your angular app to make requests to the HTTPS URL of your login action and all encryption will be taken care of seamlessly. You won't have to worry about manually encrypting the data clientside and then decrypting serverside. All of this will be handled by the TLS protocol which make HTTPS work.
Related
I know that certificates that are sent by the server cant be faked (still there is MD5 collisions but costy) but what about faking the client ..
in man in the middle attack:
cant we tell the server that we are the legitimate client and take data from that server manipulate it then encrypt it again with legitimate client public key ? how does the client be sure that the data came really from the server ?
in theory .. can we inject any data into the response sent by the server to the client ?..
How are you authenticating the client? SSL client certificates? Or some application level system (cookies etc)?
Here's what SSL does in a nutshell:
Negotiates a Diffie-Hellman shared session key between the two parties
Has the server sign the session key and send the result to the client. Once the client verifies this, the client knows there is no MITM, and the server is who they say they are.
If client certificates are enabled, has the client sign the session key and send the signature to the server. The server now knows there is no MITM and the client is who they say they are.
Encrypts all data in both directions using the shared session key
Typically when you use SSL you won't use client certificates. Strictly speaking, the server does not know if the connection is MITM'd. However, most clients will disconnect if the server certificate is bad. The server assumes that if the client pushes forward with the connection, there is no MITM. Even if Mallory, doing the MITM, chooses not to propagate the disconnect from the client, he has no new information now; all he's done is connected to the server himself. Without intercepting the client's session cookie or other authentication information (which is only sent by the client after verifying the connection is secure) the MITM is useless.
So in short, as long as one end or the other verifies the certificate of the other end before initiating any high-level communication of sensitive information, SSL is secure in both directions.
You're right -- without secure certificate authentication on the client and server there is an opening for a man in the middle attack.
SSL can be "secure both ways" if you use mutual authentication also called two-way SSL.
I have developed an iOS app using Xamarin and I am unsure about how encryption would work when calling a service that uses HTTPS.
On my end I do nothing particularly special: I utilize a RestClient and add the credentials to the body of a json serialized request. I then post it to the HTTPS service.
Is this safe or should I be doing more? I am not sure if iOS handles the rest for me in terms of encryption.
Answer
Yes, by using HTTPS, you are most-likely safe. However, there are a couple things to verify to ensure that there are no security leaks.
More Info on TLS
Communication with secure HTTPS enpoints encrypt the header and body of the message by default using TLS.
HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security. Source
Things To Verify
Do Not Use Sensitve Data in the URL
The Url of the HTTPS endpoint is not encrypted. It is important to never put any sensitive data into the Url of the HTTPS enpoint. To ensure sensitive data is encrpyted, put the data in the message body.
For example, if you are validating a user's login (username: user1234, password: password1234), do not send the username/password as a url parameter. Instead, serialize the username and password data, and set it as the HttpContent of the HttpClient.
Bad: https://myApiEndpoint.com/getIsUserValid/user123/password1234
iOS HttpClient Implementation
Ensure that you are using NSUrlSession for the iOS HttpClient Implementation.
NSUrlSession will use TLS by default when communicating with secure HTTPS endpoints. As of iOS 10, NSAppTransportSecurity will not allow communication to non-secure HTTP endpoints by default; communication with non-secure HTTP enpoints can be enabled by updating NSAppTransportSecurity in Info.plist, Apple Documentation.
You can verify NSUrlSession is being used in the iOS Build Settings (screenshot below).
When using HTTPS everything except the server address is encrypted during transit. The encryption is totally transparent to the client and server.
Example: for the URL https://myApiEndpoint.com/getIsUserValid/user123/password1234 only myApiEndpoint.com is not encrypted, the rest of the URL is encrypted.
In order to protect against MITM attacks pin the server certificate, that is verify that the certificate received on the request belongs to the correct server.
If you control the server use TLS 1.2 and Perfect Forward Secrecy.
I am working on some app which as API call. while i add proxy in mobile and see response in web debugging tools. I can see my api call parameters and response too.
while in others app I cant see this things and it is secured.
how can i acheive this?
Pictures said your API is using non-secure HTTP protocol while others app using HTTPS. The Web API should be performed via HTTPS protocol. HTTPS using SSL/TLS as secure transport layer, it means all data are encrypted before they're online. So, we don't care about any kinds of proxy
Here is my cenario:
I have an Rails app on Heroku and i'm forcing it to use HTTPS (Using this tutorial: http://simonecarletti.com/blog/2011/05/configuring-rails-3-https-ssl/) .
I created a POST form, and its the action is "/my-action"
How do i know if my data is really been transmitted using SSL ? I mean, the form action shouldn't "https://mywebsite.herokuapp.com/my-action" ?
Some considerations:
* I'm using the free heroku SSL (https://myapp.herokuaapp.com )
* This app is not using the heroku SSL endpoint addon
Thanks
if you have valid ssl certificate and encryption key, then you only your data is accepted via ssl. Simply redirecting your website to use https protocol doesn't encrypt your data flow. And, this is what you were doing it. Right now, you are using heroku which does provide free SSL service if you use its domain.
So, if your website can be accessible via https://myapp.herokuapp.com and browser isn't giving any warning..then you are using SSL service.
This isn't applied if for custom domains. Your custom domain will still be accessible with https://www.example.com but it it SSL enabled.
I have a JRuby on Rails application deployed to Tomcat which is setup for two-way/mutal authentication using SSL. When a request comes in to my Rails application, it then makes a request to an external server. That external server requires the certificate of the person originating the request. I need to grab the certificate from my Rails app and forward it when making a request to the external server (another Rails app).
I can get the X509Certificate (java) object in a controller in the Rails app where the initial goes. I can then get the DER string (X509CertificateImpl#getEncoded, something like that) and I can build a PEM string if necessary...but how I can forward that on when making a request to the external Rails app?
I tried sticking the urlsafe base64 encoded PEM version into a header, but when I pull out that header on the external rails app it only appears to get a chunk of it (60 characters as opposed to the 2095 that were sent).
Any ideas/thoughts on how to do this?
If the external server requires client-side SSL authentication and not just a certificate, then you are out of luck. The reason is that SSL autentication is performed using private keys, not certificates themselves. And private keys are not transferred to the server. So grabbing the certificate will give you nothing.