Kyle Galbraith
Website Depot GitHub Twitter LinkedIn
← All Posts

Dear Internet, Stop Taking My Information Over HTTP

Written by
Kyle Galbraith
Published on
31 December 2017
Share
Share on TwitterShare on LinkedInShare on Hacker News
It has never been easier for developers to configure websites for access over HTTPS. Services like AWS Certificate Manager and Let's Encrypt are making it cheap and easy.
Build Docker images faster using build cache banner

It has never been easier for developers to configure websites for access over HTTPS. Services like AWS Certificate Manager and Let’s Encrypt are making it cheap and easy.

Of course there has never been an excuse for taking user information over HTTP. Configuring SSL for your website was once somewhat difficult. Nowadays it has become very simple and the need to do so has never been more important.

SSL does not guarantee 100% safety from things like a person in the middle attack. But, it does lower the potential risk.

Anatomy Of A Person In The Middle Attack

The general premise of a person in the middle attack is that there is an evil person sitting between the client and the server. Never trust the evil person. This evil doer is always there and you should never assume they are not.

Our villain is monitoring the requests coming from the client to the server. They want to gain information about the user. Things like passwords, emails, and even phone numbers are winning criteria for them. Requests passed from the client to the server over HTTP are in clear text for the villains eyes.

This is the general anatomy of a person in the middle attack (PITM). Passing passwords, emails, and other sensitive information shouldn’t happen over HTTP. It is far to easy for an attacker to siphon the information and use it against you.

Add SSL To Your Website

It is dirt cheap to add an SSL certificate to your website nowadays. I am most familiar with creating them in AWS Certificate Manager. Assuming you already have a Amazon Web Services account, you can create an SSL certificate by following these steps.

  1. Navigate to Certificate Manager in the AWS Console.
  2. Click Request a Certificate.
  3. In the Domain name input enter your website domain.
  4. Click Add another name to this certificate
  5. In the Domain name input enter my-awesome-site.com
  6. Click Next.
  7. Select Email validation.
  8. Click Review.
  9. Click Confirm and request.

For each domain entered you must confirm you are the owner of the domain via the email AWS sends. This will come to the email address you registered as the owner of the domain. The approval emails come from [email protected] with the subject “Certificate approval for your-site.com”.

Click the approval link in the email to approve the certificate request.

Once you have the certificate in AWS you can attach it to a Load Balancer in front of your EC2 web server. If you have a static website, you can attach it to a CloudFront distribution sitting in front of your S3 website.

Conclusion

The internet is moving more and more towards HTTPS for everything. Mainstream browsers like Google Chrome are beginning to show warnings to users when browsing a site over HTTP. What was once a bit cumbersome is now so simple there is no reason not to do it. Plain and simple, if you are taking user information on your website do not do it over HTTP.

© 2024 Kyle Galbraith