I mentioned in Blog 16 – Security that I wanted to enable SSL (Secure Sockets Layer).
Standard HTTP is a communication channel between the web server and the browser. HTTP is not encrypted and leaves and communication between the server and browser open for eavesdropping. If someone was to intercept the traffic, they could easily see what was being passed back and forward. For a website that handles sensitive information this can’t happen. One way to help alleviate this risk is to add SSL, or otherwise know as, HTTPS to the web server. HTTPS is an encrypted communication channel using trusted key pairs. Before data is sent from either end, it is encrypted, then sent, and unencrypted at the other end. If someone was to intercept the traffic then they won’t be able to read the data being sent back a forward.
The AWS linux server that I am using in to host my web server supports the HTTPS protocol. Using this tutorial: Configure Apache Web Server on Amazon Linux to use SSL/TLS I enabled HTTPS on my web server.
Below is the steps to enable HTTPS;
First I checked to see if the web server was running. Then checked to see if there were any updates. As you can see there were many. I need to do an update check regularly from now on I think.
Once the update has finished I could install the SSL (HTTPS) service.
When the SSL service had been installed, I restarted the web server so that the SSL service could start.
I could then go to my security group for the web server and add a HTTPS rule. I have set both inbound and outbound open to HTTPS traffic. This means that the web site can be accessed from anywhere. I have locked HTTP traffic to only 2 IP address now, for testing purposes.
Now if I go to the web site, but add https:// before the URL, the communication between the browser should be encrypted.
However when I visit the website I am greeted by this;
Further down in the tutorial there another step; Obtain a CA-signed Certificate.
I do not have a CA-signed Certificate. This I why I am receiving this warning when visiting the website. The Certificate verifies that you are the owner of the web site. Due to my site not having one of these certificates, Google Chrome cannot identify if I am the owner. It thinks that the site could be a copy of the original, used to siphon information. To get a CA-signed certificate you need to apply to get one.
This involves buying/obtaining a domain name for the website, like http://www.attendance.co.nz and making the web server use this domain.
They you need to apply, “certificates generally cost money because of the labor involved in validating the requests, so it pays to shop around” and it also takes time.
As this project is funded by me and I had already absorbed the cost for the Arduino components I didn’t want to fund the buying of a domain name and the cost to get the certificate. If this system was being developed to be deployed then these steps can be taken as they will be incorporated into the development price.
The website still operates as before, with HTTPS enabled. It shows that the option is there and has been explored.