Dear Internet, Stop Taking My Information Over HTTP

📅 31 December, 2017 – Kyle Galbraith

It has never been easier for developers to configure websites for access over HTTPS. Services like AWS Certificate Manager and Let’s Encrypt are making it cheap and easy.

Of course there has never been an excuse for taking user information over HTTP. Configuring SSL for your website was once somewhat difficult. Nowadays it has become very simple and the need to do so has never been more important.

SSL does not guarantee 100% safety from things like a person in the middle attack. But, it does lower the potential risk.

Anatomy Of A Person In The Middle Attack

The general premise of a person in the middle attack is that there is an evil person sitting between the client and the server. Never trust the evil person. This evil doer is always there and you should never assume they are not.

Our villain is monitoring the requests coming from the client to the server. They want to gain information about the user. Things like passwords, emails, and even phone numbers are winning criteria for them. Requests passed from the client to the server over HTTP are in clear text for the villains eyes.

This is the general anatomy of a person in the middle attack (PITM). Passing passwords, emails, and other sensitive information shouldn’t happen over HTTP. It is far to easy for an attacker to siphon the information and use it against you.

Add SSL To Your Website

It is dirt cheap to add an SSL certificate to your website nowadays. I am most familiar with creating them in AWS Certificate Manager. Assuming you already have a Amazon Web Services account, you can create an SSL certificate by following these steps.

  1. Navigate to Certificate Manager in the AWS Console.
  2. Click Request a Certificate.
  3. In the Domain name input enter your website domain.
  4. Click Add another name to this certificate
  5. In the Domain name input enter my-awesome-site.com
  6. Click Next.
  7. Select Email validation.
  8. Click Review.
  9. Click Confirm and request.

For each domain entered you must confirm you are the owner of the domain via the email AWS sends. This will come to the email address you registered as the owner of the domain. The approval emails come from no-reply@certificates.amazon.com with the subject “Certificate approval for your-site.com”.

Click the approval link in the email to approve the certificate request.

Once you have the certificate in AWS you can attach it to a Load Balancer in front of your EC2 web server. If you have a static website, you can attach it to a CloudFront distribution sitting in front of your S3 website.

Conclusion

The internet is moving more and more towards HTTPS for everything. Mainstream browsers like Google Chrome are beginning to show warnings to users when browsing a site over HTTP. What was once a bit cumbersome is now so simple there is no reason not to do it. Plain and simple, if you are taking user information on your website do not do it over HTTP.

Want to check out my other projects?

I am a huge fan of the DEV community. If you have any questions or want to chat about different ideas relating to refactoring, reach out on Twitter.

Outside of blogging, I created a Learn AWS By Using It course. In the course, we focus on learning Amazon Web Services by actually using it to host, secure, and deliver static websites. It’s a simple problem, with many solutions, but it’s perfect for ramping up your understanding of AWS. I recently added two new bonus chapters to the course that focus on Infrastructure as Code and Continuous Deployment.

I also curate my own weekly newsletter. The Learn By Doing newsletter is packed full of awesome cloud, coding, and DevOps articles each week. Sign up to get it in your inbox.