https-for-web-and-apis.md

HTTPS for Websites and APIs

PHPPDX Meetup Talk 7/17/2018

Table of contents:

• Description
• Google Chrome non-HTTPS
• SSL/TLS
  • TLS
  • SSL
  • SSL/TLS Certificate
    • 3 Different Paid Types of SSL/TLS Certificates
    • Differences between Let's Encrypt and paid Certificate Authorities
  • Installing SSL/TLS Certificate on a Server
    • Most common install options
• Conventional Usage
• API Usage
• Handling Redirects
  • Server Level - Apache
  • Server Level - Nginx
  • App Level
• Dangers of non https
• References

Description

HTTPS is an important topic on the web these days. As of this month, July 2018, Google's Chrome browser will mark non-HTTPS sites as ‘not secure’. Not as well discussed, but equally important is what HTTPS means for your API. Jeremy Kenedy ([email protected]), Web Engineering Manager at Sq1 Portland, will give us a rundown of SSL/TLS and the role it plays in HTTPS. We'll discuss the practical implications of HTTPS for API requests and see practical examples of a middleware approach to handling redirection in your PHP application.

Google Chrome non-HTTPS

• Announced in February 2018 in Google security blog
• Implemented July 2018.

SSL/TLS

• Standard security protocol for establishing encrypted communication.
• Ensures that all data transmitted between a web server client are encrypted with RSA(Rivest, Shamir, Adleman) encryption.
• SSL/TLS certificate is required for a SSL connection.
• Server verified (different levels).
• HTTPS requires SSL/TLS.
• HTTP2 requires SSL/TLS.

TLS

• Transport Layer Security
• TLS takes care of encrypting the data sent over the network and verifying the identity of the server host using a certificate.
• Became standard over SSL in 1999.

SSL

• Secure Sockets Layer.
• Fallback to TLS using older security protocols.

SSL/TLS Certificate

• Encryption type is listed by Signature Algorithm
• Issued by a Certificate Authority (CA).
  • Open source DV SSL/TLS with Let's Encrypt.
  • Paid Issuers have 3 types available.
• The encryption levels are the same for each certificate type.
• All Have validity Period.

3 Different Paid Types of SSL/TLS Certificates.

1. Extended Validation (EV SSL)

   • Verifying the legal, physical and operational existence of the entity.
   • Verifying that the identity of the entity matches official records.
   • Verifying that the entity has exclusive right to use the domain specified in the EV SSL Certificate.
   • Verifying that the entity has properly authorized the issuance of the EV SSL Certificate.

2. Organization Validated (OV SSL)

   • Checks right of the applicant to use a specific domain.
   • Some vetting of the organization. Usually something like an ecommerce secure site seal.
   • Gives enhanced visibility in who is behind the site and associated enhanced trust.

3. Domain Validated (DV SSL)

   • Checks right of the applicant to use a specific domain.
   • No company identity information is vetted.
   • No information is displayed other than encryption information.
   • Receiving server not verified.

Differences between Lets Encrypt and paid Certificate Authorities

Item	Description
Extended validity	Let's Encrypt certificates are only valid for 90 days and must be renewed frequently. By contrast, most traditional SSL certificates are valid for at least one year, with the option of longer validity periods (for example, three years).
Warranty	Let's Encrypt certificates do not include a warranty, whereas traditional SSL certificates usually do.
Support	Let's Encrypt does not have staff available to assist with creating or installing SSL certificates. This can be an issue for professionals and business owners who must quickly get a site configured and working. For example, GlobalSign has a network of trained personnel who provide support through online ticketing, chat, and telephone.
Customer vetting	Let's Encrypt uses basic domain-based vetting (the ACME protocol) to issue SSL certificates. Traditional CA providers use additional vetting procedures to help verify that customers actually are who they claim to be.
SSL certificate options	Let's Encrypt only offers domain-validated certificates (DV). If you need the extra security of an extended validation certificate (EV) for your site, you must purchase one from a traditional CA provider. Additionally, Let's Encrypt does not offer wildcard or multi-domain certificates.

source

Installing SSL/TLS Certificate on a Server

• A Certicate consist of one or more verified .crt file that lives on your server and is linked though your servers configeration.
• The .crt files are obtained from the Certificate Authority provider or self generated(self-signed).
• Your server needs an RSA key generated on it.

Most common install options

• You can manually request the SSL certificatethen install it. (Self-signed certificate).

  • Example process on Apache2
  • Example process on Nginx and CentOS
  • Example process on Nginx and Ubuntu

• You can download the needed files from paid Certificate Authority and then install

  • Example process on Apache2
  • Example process on Nginx

• You can use a open source services like Certbot to install a certificate from open source CA Lets Encrypt.

  • Note: Cert is limited to DV SSL Cert with Lets Encrypt.

• [note] Some Server configeration panels offer these options built in.

• [source](https://www.digicert.com/ssl-certificate-installation.htm)

Conventional Usage

• Encrypt Connection between websites and web apps.
• Provide server and other company data of website and web apps.
• Create public trust between public/users and website/app.
• Properly allow for more sensitive data and credentials on website/app.

API Usage

• All the above.
• Provides trust between developers and api usage.
• Add protection server and data by enforcing secured (HTTPS) calls.

Handling Redirects

Server Level - Apache

• .htaccess and mod_rewrite Apache docs

Server Level - Nginx

• Server config file using rewrite directive.

App Level

• PHP header() method
• Middlware/Plugins (most likely use the header() method)
• Example Laravel Package Laravel HTTPS Checker
  • CheckHTTPS
  • ForceHTTPS
    • Makes use of secure() method in Request Class

Dangers of non https

• Traffic can be snooped/watched.
• Data can easily be stolen.
• CDN and API Dependencies may not work.
• Puts others at risk.
• Loss/lack of public trust.

References

• TLS vs. SSL - 5 Things To Know - Differences, Protocols, & Handshakes
• Differences between Let's Encrypt certificates and traditional CA-issued certificates
• What Are The Different Types of SSL Certificates?
• A secure web is here to stay
• Why HTTPS Matters
• Apache docs
• Module ngx_http_rewrite_module
• php header method docs
• Laravel HTTPS Checker
• Laravel API Docs - Request Class
• Apache: Create CSR & Install SSL Certificate - OpenSSL
• Nginx: Create CSR & Install SSL Certificate (OpenSSL)