is custom (https) headers a safe API auth method? [closed] - ssl

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
Is it safe to put an API key in a custom header as such (pearl script):
my $json = `wget --no-check-certificate --header "keyFile: $hashkey" -q -O - $mediaplayersurl`;
Will the header be encrypted when connecting to an https resource? Or are the headers passed as plain text like the url?

No, this is not safe, but not in the way that you think.
HTTPS is encrypted at the transport layer if you think about the OSI layer model, but http headers are at the application layer. Everything that is sent above the transport layer is encrypted and this includes http headers and the URL. We usually don't recommend to send authentication tokens in the URL because those end up in web server log files where they might be readable by many people and enable them to impersonate the user.
The issue is that the encryption can be easily broken by an active network-based attacker. We usually call it a man-in-the-middle. This is due to the unchecked certificate. If the client doesn't check the certificate, then an attacker might impersonate the server to the client and at the same time impersonate the client to the server by using their own certificate (one where they hold the private key for). They can learn the API key and use it afterwards.
You can fix this either by using (public) certificates that are valid (full certificate chain that is validated by the client until the trust root with valid dates and domain names) or self-signed certificates (those don't have a certificate chain) where the client actually checks the fingerprint.

Related

Drop in traffic due to HTTPS security [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
Ours is a educational website collegesearch.in which is HTTPS secured. We are loosing our desktop traffic because we get error like untrusted certificate on public domain networks and also some of the antiviruses block our website as well. There is no issue with our certificate and they are issued by CSA and are not self-signed.
We understand some of the pages may include mixed content like stuffed http links, which we identify and remove but this itself does not seem to be the reason of traffic drop.
We have 75% mobile users and only ~20% of desktop, while our competitors have 40% of desktop users and they are http websites. This makes us think that using HTTPS has become ironically a problem.
My question is What makes antiviruses block HTTPS website?
Why we get untrusted certicate error?
Anything that can help here...
The site collegesearch.in:
is using a self-signed certificate and thus is not trusted by default by any browsers
on top of this the certificate is expired
on top of this the name in the certificate does not match the URL
on top of that you are offering insecure ciphers
For more details see the SSLLabs report.
Interestingly, www.collegesearch.in is setup in a different way although it still offers some weak ciphers.
It looks like that you are trying to deal with the badly setup collegesearch.in by redirecting users to www.collegesearch.in. But, for the redirect to work the user is first confronted with the bad certificate from collegesearch.in which he must accept before the browsers continues with the HTTP request which then results in the redirect to www.collegesearch.in. To fix this you need to have a proper certificate setup not only for www.collegesearch.in but also collegesearch.in.

AWS ELB with GoDaddy SSL certificate [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
I have a website running on AWS that needs SSL. The website has the functionality that it must by white labelable according to the subdomain accessed. For example, when accessing www.a.the-site.com the website will look different from when it is accessed from www.b.the-site.com, but it is the same virtual host handling both urls. I use an ELB which directs to the EC2 instance (only one instance at this stage) This worked fine when running over normal http.
I followed the step by step tutorial on AWS (http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html and http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-create-https-ssl-load-balancer.html#configure-https-listener) to generate the keys (steps laid out below for ease of reference) and got the certificate from GoDaddy. (Upon pasting the CSR on the GoDaddy website's certificate request process, the correct CN was displayed). The certificate bought was a wildcard certificate, to support different subdomains. I applied the Certificate on the ELB using the AWS website interface, which did not prompt any errors, but now when I access the site over https, I get the SSL error in the browser:
"The security certificate presented by this website was issued for a different website's address."
Investigating the Certificate on https://www.sslshopper.com shows the following:
It states that none of the common names match, yet the common name in the chain is correct (*.the-site.com)
I can also post the steps followed to create the private key and CSR, but I have not received any indication that these are incorrect. It seems like the CN *.the-site.com is not resolving www.a.the-site.com. Can anyone shed some light on this?
#Michael - sqlbot was correct, the wildcard certificate only checks for a single domain. I changed my domain settings to not redirect to www.a.example.com, but rather a.example.com (dropping the www subdomain) and all is working as expected.

Zscaler Intermediate Certificate [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 8 years ago.
Improve this question
Our company recently implemented Zscaler proxy filtering, which I just learned uses a root certificate pushed out to all of our machines to forge SSL certificates for mitm filtering of our traffic. Personally I'm not happy about this, but we do a lot of sensitive work, so I'm not going to complain.
But now I'm noticing they don't seem to be doing it consistently. For instance, if I go to Facebook on the work network, the certificate is signed by ZScaler Intermediate Root CA, which clearly means it's been compromised. But if I go to, say, my bank, it says it's signed by Verisign. Am I right in thinking that means the bank connection has not been intercepted and is still end to end encrypted?
Zscaler allows the administrator to configure which sites/domains/categories will or will not be decrypted for inspection. It sounds like your admins have disabled SSL decryption sites in the finance category, and thus traffic to your bank is not being decrypted, whilst traffic to Facebook is.
As far as determining which traffic is and is not being decrypted you are exactly right - check the SSL certificate and if it's signed by the Zscaler certificate then the traffic is being Man-In-The-Middle'ed. If it's signed by any other certificate (including Verisign/etc) then it's NOT being MITM'ed.

https with Startcom SSL not working properly [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
What I want to do is making my website available via https without getting these browser warning that the site is not trusted.
I created an SSL certificate for my domain and configured Apache webserver to use it in default-ssl. Calling my site with https:// works, but in every browser on every device a get the message that no issuer chain was provided. In firefox like:
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)
What did I understand wrong with SSL?
The certificate you get is not directly signed by the Root-CA, but by an intermediate CA, which by itself got signed by the Root-CA. You have to add this intermediate CA to the certificates your server sends to the client, because the client only trusts the Root-CA and does not now the intermediate CA.
The process is described in various places, like https://eldon.me/?p=34
You say Startcom SSL - do you mean the free one? If so - that's a normal and import behavior of these browsers (well your free certificate isn't validated - no prove that this certificate really belongs to you). I actually hope there is no way around that.
Don't get me wrong - CA's have their advantages as well as disadvantages. What you could do for your users is take part in the web of trust, yet it won't help on that topic.
What you personally can do, is view the certificate (when the warning is displayed - don't directly click for a temporary exception) and then, there is an option to permanently save an exception for that certificate.
But you have to do that on every browser (once) and just works for you, every other user visiting the site has to do the same.

SSL trust chain validation [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I have a general question. Theoretically, if you have the following trust chain: RootCA -> IntermediateCA -> MyDomainCertificate, one should verify 2 certificates in order to verify your certificate. When I send MyDomainCertificate.crt (X509v3) to someone for verification, do I have to send him the whole chain? Is the verifier able to download all intermediate certificates automatically?
This is how I hope it works:
I send MyDomainCertificate.crt to someone and he wants to verify it.
The verifier needs IntermediateCA.crt (the certificate of my issuer) in order to verify MyDomainCertificate.crt, so he downloads it automatically.
The verifier needs RootCA.crt in order to verify IntermediateCA.crt. The verifier hat this root certificate locally and completes the verification process.
Examples:
Firefox has to be able to check all server certificates. Is firefox able to download automatically all intermediate certificates, or do all servers send the complete trust chain?
If I have client authentication, does Tomcat download automatically all intermediate certificates, or do all clients send the complete trust chain for their certificates?
I hope someone can help my theory/practice confusion. Thanks!
Configuring an SSL should always include installing intermediate certificates (trust chain) Because some browsers only have the root certificate and don't have intermediate certificate, and your web server should send a copy to client of the intermediate certificate.
You can use openssl for verify your ssl configuration. Read this post:
https://major.io/2012/02/07/using-openssls-s_client-command-with-web-servers-using-server-name-indication-sni/