At work we are always having numerous problems with our x.509 certificates that we use for https and I was wondering is there a useful alternative for securing the communication between a server and the browser.
Edit
Could also be that we are using IIS x.509 and WCF
Force site to only allow local traffic and use VPN to restrict access to local network. Other than that you will need to use HTTPS to force encryption.
Related
I have a quick question on opting the SSL Certificate for the Web Application. In the Web Application, am using Kestrel as WebServer and application is not configured in IIS.
For Customers, I install the Application as a Service in Server Machine and its used by the employees only in intranet. Now the address of my application is http://machineName:port but I would like to have https://machineName:port.
Question 1) Is this possible for the Intranet sites?
Question 2) Will SSL be really needed in this case?
Qeustion 3) SSL works, only if I configure Web Application with IIS?
Yes it is possible. As long as the certificate is trusted by the clients. You can create a self signed certificate and have client machines add it to trusted root certificate authorities in windows. Or if the intranet is using a windows domain, you can have a Certificate Authority trusted by domain computers issue the certificate.
SSL is always better even in intranet and localhost scenarios. It ensures site identity, encrypts traffic, etc. Whether it is needed depends on the site. Some browser functionality such as using the camera/mic won't work unless the website is using SSL.
Kestrel allows using SSL. Checkout docs here.
I have a Flask API which has no database but just a json file that stores the data. At the moment I have put it on an EC2 and opened a port so someone can put in the IP address and port and have access to the API that way. The problem with this is that I get a mixed content error since the site it uses is HTTPS and the API is HTTP. I want to put the API behind HTTPS on a proper platform but I'm not sure where to start.
Is there a platform that I can host the API python file and the json file behind an HTTPS?
All of them? EC2 allows HTTPS (per #tawfikboujeh's comment). I don't actually know a hosting platform that would allow HTTP but not HTTPS.
There are some options in how you accomplish this:
Use a self-signed certificate. This will give you HTTPS but all the modern browsers will give a nasty warning to all your visitors.
Purchase a signed certification for you IP address from a CA. Just hope you don't have to change your IP address.
Purchase a domain and use Let's Encrypt to generate a signed certificate for you.
Option 3 would be the most robust solution, but it does carry the cost of a domain (maybe $10/year).
Google App Engine is perfect for this. SSL cert is free, and you would be in their free tier.
https://cloud.google.com/free
So,
I currently have a net core web api running in a windows VPS (amongst other things). When I make requests to this api, I would like to do so using https. It seems I need to have an SSL Cert on this VPS (which does not have a domain, just an IP).
The https API is on xxx.xxx.xxx.xxx:443
The net core application is published into a self-contained package and run as an .exe (i think using IIS express)
Ideally I would like to use a free SSL cert from something like zerossl.com or any viable alternative you may suggest
How can I go about making it so that if I access xxx.xxx.xxx.xxx:443/api/values, I get a secured icon in my browser?
Thanks
It seems I need to have an SSL Cert on this VPS (which does not have a domain, just an IP)
It is impossible to bind SSL Certificate to IP address.It must bind to domain.
Can anyone tell me about SSL and how it can be used to secure a website?
SSL is an encryption method to send data securely over http. If you've seen a site with https:// at the beginning that means that it is using SSL. To use ssl to secure your own site, you need hosting that supports it (most do), you need to purchase an SSL certificate from a signing authority (Verisign is an example), and you need to write into your web application to switch to ssl when needed.
SSL doesn't secure your website- it merely encrypts the flow of information between the server and the browser. Despite SSL, you would still be vulnerable to Cross Site Scripting, non-authenticated requests etc...
I have a vb.net application running as intranet on Win Server 2003. So should I use HTTPS instead of HTTP?
What is the difference or why should I if the answer is HTTPS? Is there any code in VB to redirect from HTTP to HTTPS?
Thanking you all in advance for your time and consideration.
You should use HTTPS to ensure reasonable protection from eavesdroppers and man-in-the-middle attacks. HTTPS creates a secure channel over the network, provided that adequate cipher suites are used and that the server certificate is verified and trusted.
An intranet is obviously less exposed than the public internet, but you should still use HTTPS if you are transferring sensitive data (such as passwords) from the server to the browsers.
Assuming you are using IIS to serve your website, you may want to check the following articles for further reading:
Microsoft Support - How To Set Up an HTTPS Service in IIS
Forcing HTTPS in IIS 6.0
Configure SSL on Your Website with IIS