Dear Internet, Stop Taking My Information Over HTTP
Kyle Galbraith Dec 31, 2017
It has never been easier for developers to configure websites for access over HTTPS. Services like AWS Certificate Manager and Let's Encrypt are making it cheap and easy.
Of course there has never been an excuse for taking user information over HTTP. Configuring SSL for your website was once somewhat difficult. Nowadays it has become very simple and the need to do so has never been more important.
SSL does not guarantee 100% safety from things like a person in the middle attack. But, it does lower the potential risk.
Anatomy Of A Person In The Middle Attack
The general premise of a person in the middle attack is that there is an evil person sitting between the client and the server. Never trust the evil person. This evil doer is always there and you should never assume they are not.
Our villain is monitoring the requests coming from the client to the server. They want to gain information about the user. Things like passwords, emails, and even phone numbers are winning criteria for them. Requests passed from the client to the server over HTTP are in clear text for the villains eyes.
This is the general anatomy of a person in the middle attack (PITM). Passing passwords, emails, and other sensitive information shouldn't happen over HTTP. It is far to easy for an attacker to siphon the information and use it against you.
Add SSL To Your Website
It is dirt cheap to add an SSL certificate to your website nowadays. I am most familiar with creating them in AWS Certificate Manager. Assuming you already have a Amazon Web Services account, you can create an SSL certificate by following these steps.
- Navigate to Certificate Manager in the AWS Console.
- Click Request a Certificate.
- In the Domain name input enter your website domain.
- Click Add another name to this certificate
- In the Domain name input enter my-awesome-site.com
- Click Next.
- Select Email validation.
- Click Review.
- Click Confirm and request.
For each domain entered you must confirm you are the owner of the domain via the email AWS sends. This will come to the email address you registered as the owner of the domain. The approval emails come from
email@example.com with the subject
“Certificate approval for your-site.com”.
Click the approval link in the email to approve the certificate request.
Once you have the certificate in AWS you can attach it to a Load Balancer in front of your EC2 web server. If you have a static website, you can attach it to a CloudFront distribution sitting in front of your S3 website.
The internet is moving more and more towards HTTPS for everything. Mainstream browsers like Google Chrome are beginning to show warnings to users when browsing a site over HTTP. What was once a bit cumbersome is now so simple there is no reason not to do it. Plain and simple, if you are taking user information on your website do not do it over HTTP.
Hungry To Learn Amazon Web Services?
There is a lot of people that are hungry to learn Amazon Web Services. Inspired by this fact I have started writing a book on that. Learning Amazon Web Services by using it. Focusing on the problem of hosting, delivering, and securing static websites. You learn services like S3, API Gateway, CloudFront, and WAF by building a solution to the problem.
There is a sea of information out there around AWS. It is easy to get lost and not make any progress in learning. By working through this problem we can cut through the information and speed up your learning. My goal with this book is to share what I have learned.
Sound interesting? Check out the landing page to learn more and stay updated on my progress, here.