configuration

Introduction to SSL Certificate Configuration

Chetna Secure Coding , , , ,

Secure Sockets layer(SSL) is a standard cryptographic protocol for secure communication over the Internet. SSL allows sensitive information to be transmitted securely. The browser and the server need an SSL certificate to establish a secure connection. SSL certificates have different kinds of keys: public key, private key, session key. The certificate also contains a “subject” which is the title of the certificate/website owner.

Certificate Signing request(CSR) is a process which creates public and private key on your server. The CSR data file that you send to the Certificate Authority(CA) contains the public key. The CA uses public key to create a data structure to match your private key. The CA never sees a private key.

Steps in the creation of Secure Connection:   browserservercommunication

  1. Browser connects to a web server secured with https and requests it to identify itself.
  2. Server sends a copy of SSL certificate that includes its public key.
  3. If browser trusts the certificate it encrypts the public key and send a session key to server.
  4. Server decrypts the session key using its private key.
  5. Both of them now encrypt all transmitted data with the help of session key.

SSL Self Signed Certificate configuration for Apache(Kali Linux):

1. Open terminal and type sudo make-ssl-cert generate-default-snakeoil The snakeoil cert is the default ssl cert for services that use ssl in the linux distribution.

Screenshot from 2014-10-31 11:18:12

2. Then, type sudo a2enmod ssl. This command enables ssl.

Screenshot from 2014-10-31 11:27:46

3. Type a2ensite default-ssl.

Screenshot from 2014-10-31 11:28:34.

4. Type sudo service apache2 restart. Apache needs to be restarted for implementing new configuration.

Screenshot from 2014-10-31 11:32:20

5. And Now you will be able to open localhost with https.

Screenshot from 2014-10-31 11:33:20

Compression Ratio Info Leak Made easy(CRIME) is a security exploit against secret web cookies over connections using the HTTPS protocols that also use data compression. This attack taught us that using compression can endanger confidentiality. In particular, it is dangerous to concatenate attacker-supplied data with sensitive secret data and then compress and encrypt the concatenation. HTTP compression will be enabled only if both the browser and client supports it. Many browsers and servers support it because it enhances performance. To disable compression in Apache,

1. Type sudo a2dismod deflate.

2. Now, restart apache2 by typing sudo service apache2 restart.

For more information:

http://en.wikipedia.org/wiki/Transport_Layer_Security

http://ubuntuforums.org/showthread.php?t=2003654

https://www.digicert.com/ssl.htm

http://en.wikipedia.org/wiki/CRIME