AOSSL – Using SSL with Varnish

By April 4, 2016 Uncategorised No Comments

AOSSL(HTTPS) – Everywhere

The core values on which the internet has been built are trust and consumer confidence. With the rising trend on Web 2.0 and social networking sites people spend much more time online being logged-in and share much more information than credit card numbers. Henceforth, while building any web application that’s dealing with users personal data security is considered as first priority. To overcome such issues a security layer has been added to HTTP to make it more secure protocol for exchanging data over the Internet called SSL.

What is SSL?

SSL is an abbreviation for Secure Socket Layers. It was originally developed by Netscape. It allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent in plain text; leaving you vulnerable to third parties to hijack the data. If an attacker is able to intercept all data being sent between a browser and a web server they can see and use that information. It can be well explained as a process wherein the data passed between the user and the server is encrypted/decrypted so that no external third party can hijack the connection and cannot gain any access to the data transferred between these two.

It can be considered as a digital passport that verifies credentials on both the ends(user & web-server). Once both the identities are verified and confirmed than SSL grants permission to create a secured connection through HTTPS. This process is accomplished using some certificates called SSL certificates. The key aspects on the SSL certificate consists of the following:

  • The owner’s name
  • The certificate’s serial number used for identification
  • The certificate’s expiration date
  • The certificate’s public key used to encrypt information
  • The certificate’s private key used to decrypt information (usually coming from a web server)

An SSL Certificate will also contain your domain name, your company name, your address, your city, your state, your country, the expiration date of the Certificate and details of the Certification Authority responsible for the issuance of the Certificate. It affects only the connection between the server and end-user. It helps in creating an encrypted link between a server and a client. For example a web server (website) and a browser; or a mail server and a mail client (e.g., Outlook).

When is SSL important to have and what kind of “sensitive private data” needs protection?

Consider a scenario where you are sitting at a coffee shop and  as per modern trends on attracting customers allowing wifi within a range on your business area is oftenly common. In this situation if you are using coffee shop’s wifi then some eavesdropper or man-in-middle  can see what is typed into forms on non-SSL sites. The hacker can potentially obtain the login form credentials you are entering in some login form. Although, the risk to the website may not be much but to a user can affect and  may extend to sites and situations that are beyond your control, since that eavesdropper might use the password to login in other sites as well on your behalf.

The most sensitive personal data such as credit card numbers, ATM pin numbers, username, passwords, etc are the most obvious things that is needed to be protected. Whereas, other information  that is meant to be shared with others such as names, email addresses, phone numbers, and mailing addresses are not private. SSL does not really protect information that is already publicly available in more accessible formats such as the phone book.

How to implement SSL in website to protect users’ information?

To make your site secure and run on HTTPS you need to activate SSL on your web server where you will be prompted to complete a number of questions regarding your website and your company. Thereafter your web server will create two cryptographic keys – a Private Key and a Public Key. The Public Key is placed into a Certificate Signing Request (CSR) – a data file also containing your details. During SSL certificate application process, the CA (Certification Authority) validates your details regarding domain, company, etc and then will issue a SSL certificate. Whenever the request will be made to the web server, it will match issued SSL certificate to your Private Key and an encrypted link between the website and your customer’s web browser.

Is the web site really secure with SSL?

The answer is “No”.  SSL secures the network communication channel only. Most attacks on websites are actually done in one of the following ways:

  1. The server is attacked directly. This requires to have a good IT security policy to protect your server.

In other words, SSL does very little to prevent the website from being hacked.  It only prevents 3rd parties from listening to communication between the user and the website.

Is there any downside to using SSL when you don’t need it?

Yes. SSL not only encrypts information typed into forms by users, but also encrypts the text of web pages, style sheets, scripts, images, videos or any other elements present on the page, which is not required at all. This requires every user to pay a price in speed and performance might degrade as, much of the speed will be used to encrypt the unnecessary elements. Adding fuel to fire, it will also require money to purchase the certificate,private IP addresses, requires paperwork and verification by a third party, and certificate needs to be renewed once expired.

Checklist for buying SSL Certificate

  1. Ensure about security level of the Certificate Authority.
  2. It is important to know the server platform, validity of the certificates, number of servers that hosts a single domain and information about the organization. A certificate signing request is required from the server which is secured.
  3. Perform an extensive research on the SSL Reviews to find which CA provides the best in the industry.
  4. Have a check on the expiration of the SSL. It is pretty advisable to apply for a new one, a week before the old certificate expires, as the certificate authority needs a specified time to complete the validation process.
  5. Examine if the certificate authority is sure to provide enough technical support and assistance. It should be good if the CA extends support in fixing any issues that comes along your way.

Conclusion:

One should avoid using SSL certification for whole site as many on the pages might contain information that’s not required to be encrypted, causing low performance on the site. Instead, have all the pages encrypted that sends/receive information or either contains them.

Leave a Reply