HTTPS for Websites and APIs
PHPPDX Meetup Talk 7/17/2018
Table of contents:
- Google Chrome non-HTTPS
- Conventional Usage
- API Usage
- Handling Redirects
- Dangers of non https
HTTPS is an important topic on the web these days. As of this month, July 2018, Google's Chrome browser will mark non-HTTPS sites as ‘not secure’. Not as well discussed, but equally important is what HTTPS means for your API. Jeremy Kenedy (email@example.com), Web Engineering Manager at Sq1 Portland, will give us a rundown of SSL/TLS and the role it plays in HTTPS. We'll discuss the practical implications of HTTPS for API requests and see practical examples of a middleware approach to handling redirection in your PHP application.
Google Chrome non-HTTPS
- Announced in February 2018 in Google security blog
- Implemented July 2018.
- Standard security protocol for establishing encrypted communication.
- Ensures that all data transmitted between a web server client are encrypted with RSA(Rivest, Shamir, Adleman) encryption.
- SSL/TLS certificate is required for a SSL connection.
- Server verified (different levels).
- HTTPS requires SSL/TLS.
- HTTP2 requires SSL/TLS.
- Transport Layer Security
- TLS takes care of encrypting the data sent over the network and verifying the identity of the server host using a certificate.
- Became standard over SSL in 1999.
- Secure Sockets Layer.
- Fallback to TLS using older security protocols.
- Encryption type is listed by Signature Algorithm
- Issued by a Certificate Authority (CA).
- Open source DV SSL/TLS with Let's Encrypt.
- Paid Issuers have 3 types available.
- The encryption levels are the same for each certificate type.
- All Have validity Period.
3 Different Paid Types of SSL/TLS Certificates.
Extended Validation (EV SSL)
- Verifying the legal, physical and operational existence of the entity.
- Verifying that the identity of the entity matches official records.
- Verifying that the entity has exclusive right to use the domain specified in the EV SSL Certificate.
- Verifying that the entity has properly authorized the issuance of the EV SSL Certificate.
Organization Validated (OV SSL)
- Checks right of the applicant to use a specific domain.
- Some vetting of the organization. Usually something like an ecommerce secure site seal.
- Gives enhanced visibility in who is behind the site and associated enhanced trust.
Domain Validated (DV SSL)
- Checks right of the applicant to use a specific domain.
- No company identity information is vetted.
- No information is displayed other than encryption information.
- Receiving server not verified.
Differences between Lets Encrypt and paid Certificate Authorities
|Extended validity||Let's Encrypt certificates are only valid for 90 days and must be renewed frequently. By contrast, most traditional SSL certificates are valid for at least one year, with the option of longer validity periods (for example, three years).|
|Warranty||Let's Encrypt certificates do not include a warranty, whereas traditional SSL certificates usually do.|
|Support||Let's Encrypt does not have staff available to assist with creating or installing SSL certificates. This can be an issue for professionals and business owners who must quickly get a site configured and working. For example, GlobalSign has a network of trained personnel who provide support through online ticketing, chat, and telephone.|
|Customer vetting||Let's Encrypt uses basic domain-based vetting (the ACME protocol) to issue SSL certificates. Traditional CA providers use additional vetting procedures to help verify that customers actually are who they claim to be.|
|SSL certificate options||Let's Encrypt only offers domain-validated certificates (DV). If you need the extra security of an extended validation certificate (EV) for your site, you must purchase one from a traditional CA provider. Additionally, Let's Encrypt does not offer wildcard or multi-domain certificates.|
Installing SSL/TLS Certificate on a Server
- A Certicate consist of one or more verified
.crtfile that lives on your server and is linked though your servers configeration.
.crtfiles are obtained from the Certificate Authority provider or self generated(self-signed).
- Your server needs an RSA key generated on it.
Most common install options
You can manually request the SSL certificatethen install it. (Self-signed certificate).
You can download the needed files from paid Certificate Authority and then install
- Note: Cert is limited to DV SSL Cert with Lets Encrypt.
[note] Some Server configeration panels offer these options built in.
- Encrypt Connection between websites and web apps.
- Provide server and other company data of website and web apps.
- Create public trust between public/users and website/app.
- Properly allow for more sensitive data and credentials on website/app.
- All the above.
- Provides trust between developers and api usage.
- Add protection server and data by enforcing secured (HTTPS) calls.
Server Level - Apache
- .htaccess and mod_rewrite Apache docs
Server Level - Nginx
- Server config file using rewrite directive.
- Middlware/Plugins (most likely use the header() method)
- Example Laravel Package Laravel HTTPS Checker
Dangers of non https
- Traffic can be snooped/watched.
- Data can easily be stolen.
- CDN and API Dependencies may not work.
- Puts others at risk.
- Loss/lack of public trust.
- TLS vs. SSL - 5 Things To Know - Differences, Protocols, & Handshakes
- Differences between Let's Encrypt certificates and traditional CA-issued certificates
- What Are The Different Types of SSL Certificates?
- A secure web is here to stay
- Why HTTPS Matters
- Apache docs
- Module ngx_http_rewrite_module
- php header method docs
- Laravel HTTPS Checker
- Laravel API Docs - Request Class
- Apache: Create CSR & Install SSL Certificate - OpenSSL
- Nginx: Create CSR & Install SSL Certificate (OpenSSL)