Thach Mai // TODO: a witty tagline

Why you should care about HTTPS and how to get it for free

Web browser makers are encouraging the use of HTTPS over traditional HTTP. Chrome only supports geolocatiozation and web RTC over HTTPS. Firefox, Chrome, MS Edge only supports HTTP 2.0 for secured sites.

Plain old HTTP is no longer good enough for them anymore. Why? To understand their motivations, we should take a look at the unsecured nature of the internet.

The network by itself is not secured

If I want to google something, behind the scene this is what happened:

[/home/thach] traceroute google.com 
traceroute to google.com (216.58.198.174), 30 hops max, 60 byte packets
 1  livebox.home (192.168.1.1)  2.140 ms  3.921 ms  3.847 ms
 2  80.10.232.225 (80.10.232.225)  7.877 ms  8.927 ms  8.905 ms
 3  ae101-0.ncgre202.Grenoble.francetelecom.net (193.253.85.42)  8.856 ms  8.807 ms  8.738 ms
 4  ae49-0.nilyo102.Lyon.francetelecom.net (193.252.101.134)  9.923 ms  9.884 ms  9.836 ms
 5  81.253.184.82 (81.253.184.82)  24.124 ms  25.413 ms  25.357 ms
 6  81.52.186.142 (81.52.186.142)  15.111 ms  10.417 ms  9.893 ms
 7  209.85.252.36 (209.85.252.36)  10.726 ms 209.85.252.194 (209.85.252.194)  11.089 ms 209.85.252.36 (209.85.252.36)  11.345 ms
 8  216.239.58.1 (216.239.58.1)  18.451 ms 209.85.143.219 (209.85.143.219)  28.290 ms 209.85.142.249 (209.85.142.249)  18.362 ms
 9  216.239.40.66 (216.239.40.66)  30.822 ms 216.239.43.64 (216.239.43.64)  32.303 ms 216.239.40.69 (216.239.40.69)  32.281 ms
10  64.233.175.112 (64.233.175.112)  30.685 ms 72.14.237.139 (72.14.237.139)  28.956 ms 209.85.243.19 (209.85.243.19)  28.825 ms
11  216.239.59.3 (216.239.59.3)  29.805 ms 209.85.241.211 (209.85.241.211)  30.585 ms 216.239.59.3 (216.239.59.3)  30.537 ms
12  108.170.232.99 (108.170.232.99)  28.796 ms  28.691 ms 108.170.232.97 (108.170.232.97)  29.793 ms
13  lhr25s10-in-f14.1e100.net (216.58.198.174)  29.899 ms  30.860 ms  30.797 ms

Visually, we can see it this way:

My network hops

Each hop that I have to go through can be a potential security risk. Let’s take a look at two simple examples:

Eavesdropping

A malicious (or curious) person who can listen to traffic on your network can eavesdrop on your exchange with google.com:

Eavesdropping attack

If the traffic on the network is pure HTTP, an eavesdropper can:

  • Steals my account credentials through login forms.
  • Captures my cookie or token ID to impersonate me.
  • Stores sensitive information communicated over the network.

Man in the middle

A more sophisticated attacker can intercept your traffic and modifies the content before passing to the next hop. Anyone who control your network gateway or switch can be this “man in the middle”:

Man in the middle attack

A man in the middle can do everything an eavesdropper can, and more:

  • Sends me to a different server than the one requested.
  • Modifies downloads to inject virus.

Can we secure the network somehow?

Unfortunately we don’t know how to migitate much of the network risks, at least not for the internet. But we can use encryptions to render these attacks ineffective by using HTTPS.

HTTPS advantages

A website served over HTTPS can guarantee two things to the client:

  • Identity: it’s really the web site requested by the client and not a fake.
  • Secrecy: the content exchanged between the client and the site can be understood only by the two parties and no one else.

How HTTPS works

How HTTPS works is rather elaborate; but for the purpose of our discussion we can simplify it as:

HTTPS handshake

Three things that you should remember:

  • The server must possess a public key that its annouces to connecting clients.
  • The server uses its secret private key to authenticate itself to the client.
  • The server key must be signed by a certificate authority to prove its validity.

To generate and sign the keys used to be somewhat costly and inconvenient. Fortunately, there is a recent player that seeks to disrupt the model: Letsencrypt.

Letsencrypt.org

A canadian non-profit organization; backed by some of the biggest players on the web.

Letsencrypt provides two things:

  • The ACME protocol to simplify key generation and renewal.
  • A public infrastructure to freely generate and renew keys.

Generate your first certificate

There are several ways you can generate certificates with Letsencrypt, here I’ll walk through the webroot method:

TLS certificate generation

Basically, you need to prove to Letsencrypt that you control the domain by placing a file in the path: yourdomain.com/.well-known/acme-challenge/. After validation, Letsencrypt will sign your certificate and you can use that certificate to turn on HTTPS.

Doing this is rather straight-forward using the official Letsencrypt client and the nginx web server:

1. Install the client

su
cd /opt
git clone https://github.com/certbot/certbot

2. Prepare NGINX to serve the challenge

In your site’s configuration:

server {
    listen 80;
    …
    location /.well-known/acme-challenge {
        allow all;
        root /tmp/letsencrypt;
    }
}

Reload the configuration file with nginx -s reload

3. Generate the certificate

/opt/certbot/letsencrypt-auto certonly --webroot --webroot-path /tmp/letsencrypt -d mydomain.com --email=‘[email protected]

The generated certificate is stored at /etc/letsencrypt/live/mydomain.com/

4. Turn on HTTPS

Modify the site’s configuration to enable HTTPS using the generated certificate:

server {
  listen 80;
  …
  listen 443 ssl;
  ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
}

5. Automatic renewal

Renewal is as simple as running /opt/certbot/letsencrypt-auto renew

Put it in a crontab to run every day/week and you’re set.

Cloudfare

Another simple option to provide HTTPS to your site is through Cloudfare CDN. This blog is hosted by Github page but served by Cloudfare; therefore I get HTTPS for free.

Setting up Cloudfare is very easy. You do have to surrender DNS control to Cloudfare though so it’s certainly not everyone’s cup of tea. Head over to their website if you’re curious.