This document discusses securing websites using digital certificates and SSL. It provides steps to:
1) Develop an insecure website without SSL to demonstrate how attackers can modify content and hack payment gateways.
2) Configure an Apache Tomcat server with HTTPS and a self-signed SSL certificate to encrypt communication.
3) Create HTML and JSP files to test the secured website and verify that sensitive data like passwords are encrypted when transmitted over SSL, preventing sniffing of plain text traffic.
This document discusses securing websites using digital certificates and SSL. It provides steps to:
1) Develop an insecure website without SSL to demonstrate how attackers can modify content and hack payment gateways.
2) Configure an Apache Tomcat server with HTTPS and a self-signed SSL certificate to encrypt communication.
3) Create HTML and JSP files to test the secured website and verify that sensitive data like passwords are encrypted when transmitted over SSL, preventing sniffing of plain text traffic.
This document discusses securing websites using digital certificates and SSL. It provides steps to:
1) Develop an insecure website without SSL to demonstrate how attackers can modify content and hack payment gateways.
2) Configure an Apache Tomcat server with HTTPS and a self-signed SSL certificate to encrypt communication.
3) Create HTML and JSP files to test the secured website and verify that sensitive data like passwords are encrypted when transmitted over SSL, preventing sniffing of plain text traffic.
This document discusses securing websites using digital certificates and SSL. It provides steps to:
1) Develop an insecure website without SSL to demonstrate how attackers can modify content and hack payment gateways.
2) Configure an Apache Tomcat server with HTTPS and a self-signed SSL certificate to encrypt communication.
3) Create HTML and JSP files to test the secured website and verify that sensitive data like passwords are encrypted when transmitted over SSL, preventing sniffing of plain text traffic.
At MITCOE Computer - LP III FDP workshop on 18-12-2018
LP III Mini Project 2 This task is to demonstrate insecure and secured website. Develop a web site and demonstrate how the contents of the site can be changed by the attackers if it is http based and not secured. You can also add payment gateway and demonstrate how money transactions can be hacked by the hackers. Then support your website having https with SSL and demonstrate how secured website is. SSL Secured Socket Layer • SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. • This link ensures that all data passed between the web server and browsers remain private and integral. • Authentication, Integrity and Secrecy is preserved with SSL
• What can’t be handled despite SSL in deployed ?
Digital Certificates roles in Web security • Certificates- What, how, where ? • Find certificates in web Browser • Indian scenario- Controller of Certifying Authorities (CCA) • Surfing Cca.gov.in Securing Web data - Steps Summary • Java Installation • Tomcat 8x installation Java Setup in Ubuntu • First prerequisite is install jdk on Ubuntu. (Preferably latest version) and add JAVA_HOME path in .bashrc which is available as in home directory. • Also add jdk bin path in .bashrc so that you can access java command from any working directory. Tomcat 8x Installation • Download the apache tomcat 8.55.33 application tar file from apache site. • And extract it in your home directory. • Also add CATALINA_HOME in .bashrc as follows. • export CATALINA_HOME=/home/bnjagdale/web/apache-tomcat- 8.5.33 Tomcat Management Start the Tomcat. Go to the apache bin directory and run following command …/bin$sh startup.sh Stop tomcat: And you can shutdown tomcat server with following command. …/bin$sh shutdown.sh
Note: Every time you change configuration files of tomcat, make sure to restart the tomcat server to adopt the changes Access the Web Interface of tomcat server (Testing Web server) • Now that we have to create a user, we can access the web management interface again in a web browser. • Once again, you can get to the correct interface by entering your server's domain name or IP address followed on port 8080 in your browser: • Open in web browser • http://server_domain_or_IP:8080 OR • http://127.0.0.1:8080/ • The page you see should be the same one you were given when you tested earlier: Web server Manager interface • In order to use the manager web app that comes with Tomcat, we must add a login to our Tomcat server. We will do this by editing the tomcat-users.xml file: • sudo nano …./conf/tomcat-users.xml • You will want to add a user who can access the manager-gui and admin-gui (web apps that come with Tomcat). You can do so by defining a user, similar to the example below, between the tomcat-users tags. Be sure to change the username and password to something secure: • tomcat-users.xml — Admin User • <tomcat-users . . .> • <user username="admin" password="password" roles="manager-gui,admin-gui"/> • </tomcat-users> • Save and close the file when you are finished. You need to restart the tomcat to adopt the changes. • Let's take a look at the Manager App, accessible via the link or http://server_domain_or_IP:8080/manager/html. You will need to enter the account credentials that you added to the tomcat-users.xml file. • The Web Application Manager is used to manage your Java applications. You can Start, Stop, Reload, Deploy, and Un install here. You can also run some diagnostics on your apps (i.e. find memory leaks). Lastly, information about your server is available at the very bottom of this page. Creating html/jsp files for demonstration • Let us test the web pages / JSP pages • Now let us deploy jsps and html and test them. Switch to webapps directory of tomcat and create you won folder like …. • ..webspps$mkdir myapps • ..webspps$cd myapps • ..webspps$gedit login1.html • ..webspps$gedit login2.html • ..webspps$gedit action.jsp Login1.html <html> <head> <title>SSL demonstration</title> </head> <body> <h3>Web communicaton in plain text- NO SSL</h3> <br> <form action="http://127.0.0.1:8080/myapps/action.jsp" method=post> User Name:<br> <input type="text" name="username" value=""><br> Password:<br> <input type="password" name="password" value=""><br><br> <input type="submit" value="Submit"> </form> </body> </html> <html>
Action.jsp <head> <title>Using POST Method to Read Form Data</title> </head> <body> <h3>Returning the user Form Data back</h3> <br> <p><b>Login name:</b> <%= request.getParameter("username")%> </p> <p><b>Password:</b> <%= request.getParameter("password")%> </p> </body> </html> Now test the web pages as follows. You will observe that all traffic is plain in format. So far we have not talked about SSL or TLS between client and server Now with SSL • Above traffic between server and client is without SSL implementation • Now create the digital certificate using java keytool in jdk/bin • Issue command as follows. • [root@localhost ~]# keytool -genkey -alias mykeys -keyalg RSA -keystore mynmcs • In this example keynamed mynmcs is created in working directory and public key pair is also generated in keystore supported by passwords. Now configure the digital certificate in server.xml file available in conf directory under apache tomcat directory, As follows Restarting Tomcat to consider new configuration • Restart the tomcat server by using command as under tomcat 8 bin directory • $sh shutdown.sh • $sh startup.sh • Now issue the url in client browser as follows • https://172.20.1.121:8443/myapps/login2.html Now this form will (submit) initiate ssl dialog and hence communication will be secured henceforth. SSL self signed works locally but not …? • Certificate warning error is shown as certificate is self-signed. • Click on certificate error and see the details. Certificates installed in tomcat server for SSL security are self-signed. • If signed by CA like VeriSign, even legality of this communication is applicable. Thus by deploying SSL in tomcat server, websites can be secured to achieve Authentication, integrity and secrecy goals in the communication between web client and web server. • Accept certificate and check the output. So now traffic is secured with SSL between transport and application. How to verify with and without SSL • Now check the plain traffic by deploying sniffer such as tcpdump or wireshark etc. and verify that traffic is plain without SSL and with https://localhost:8443/... • Traffic is secured in term of authentication, secrecy and integrity. As you can see that wire shark has sniffed the web traffic and found what server and client are talking. Here, toward the bottom of screen capture, you can see password in plain format, which you will not be able to sniff after https SSL is deployed
