Dear Internet, Stop Taking My Information Over HTTP

It has never been easier for developers to configure websites for access over HTTPS. Services like AWS Certificate Manager and Let’s Encrypt are making it cheap and easy.

Of course there has never been an excuse for taking user information over HTTP. Configuring SSL for your website was once somewhat difficult. Nowadays it has become very simple and the need to do so has never been more important.

SSL does not guarantee 100% safety from things like a person in the middle attack. But, it does lower the potential risk.

Anatomy Of A Person In The Middle Attack

The general premise of a person in the middle attack is that there is an evil person sitting between the client and the server. Never trust the evil person. This evil doer is always there and you should never assume they are not.

Our villain is monitoring the requests coming from the client to the server. They want to gain information about the user. Things like passwords, emails, and even phone numbers are winning criteria for them. Requests passed from the client to the server over HTTP are in clear text for the villains eyes.

This is the general anatomy of a person in the middle attack (PITM). Passing passwords, emails, and other sensitive information shouldn’t happen over HTTP. It is far to easy for an attacker to siphon the information and use it against you.

Add SSL To Your Website

It is dirt cheap to add an SSL certificate to your website nowadays. I am most familiar with creating them in AWS Certificate Manager. Assuming you already have a Amazon Web Services account, you can create an SSL certificate by following these steps.

  1. Navigate to Certificate Manager in the AWS Console.
  2. Click Request a Certificate.
  3. In the Domain name input enter your website domain.
  4. Click Add another name to this certificate
  5. In the Domain name input enter my-awesome-site.com
  6. Click Next.
  7. Select Email validation.
  8. Click Review.
  9. Click Confirm and request.

For each domain entered you must confirm you are the owner of the domain via the email AWS sends. This will come to the email address you registered as the owner of the domain. The approval emails come from no-reply@certificates.amazon.com
with the subject “Certificate approval for your-site.com”
.

Click the approval link in the email to approve the certificate request.

Once you have the certificate in AWS you can attach it to a Load Balancer in front of your EC2 web server. If you have a static website, you can attach it to a CloudFront distribution sitting in front of your S3 website.

Conclusion

The internet is moving more and more towards HTTPS for everything. Mainstream browsers like Google Chrome are beginning to show warnings
to users when browsing a site over HTTP. What was once a bit cumbersome is now so simple there is no reason not to do it. Plain and simple, if you are taking user information on your website do not do it over HTTP
.

Hungry To Learn Amazon Web Services?

There is a lot of people that are hungry to learn Amazon Web Services. Inspired by this fact I have started writing a book on that. Learning Amazon Web Services by using it. Focusing on the problem of hosting, delivering, and securing static websites. You learn services like S3, API Gateway, CloudFront, and WAF by building a solution to the problem.

There is a sea of information out there around AWS. It is easy to get lost and not make any progress in learning. By working through this problem we can cut through the information and speed up your learning. My goal with this book is to share what I have learned.

Sound interesting? Check out the landing page to learn more and stay updated on my progress, here
.

The Practical Developer责编内容来自:The Practical Developer (源链) | 更多关于

阅读提示:酷辣虫无法对本内容的真实性提供任何保证,请自行验证并承担相关的风险与后果!
本站遵循[CC BY-NC-SA 4.0]。如您有版权、意见投诉等问题,请通过eMail联系我们处理。
酷辣虫 » 综合技术 » Dear Internet, Stop Taking My Information Over HTTP

喜欢 (0)or分享给?

专业 x 专注 x 聚合 x 分享 CC BY-NC-SA 4.0

使用声明 | 英豪名录