Is possible to use Auth0 server over HTTP intead of HTTPS?
If yes, how to?
If not, why?
(I known the http is sniffeable)
It's not possible.
A secure transport layer is required on all of the communication flows used in the authorization protocols supported by Auth0: OAuth2, OIDC, SAML and WS-Federation. This is to ensure the security of items such as credentials, tokens, and personally identifiable information.
HTTPS is also required on mandatory for the administration Dashboard and every related service. Again, it wouldn't make sense to exchange information used to secure systems over an insecure protocol.
Related
I am developing an online-shop based on a Telegram Bot, and I need to host it on a VPS. What are the dangers if I use a self-signed SSL certificate?
I found online that there's a MiTM attack threat, but I couldn't find a detailed explanation on how it can be avoided when using a self-signed SSL.
For example, will it help if all requests are sent to/from a URL of type: www.example.com/?
This is based on my reading of the Telegram Bot API.
There are two ways to control your bot, both of which involve "reasonably" secure protocols that are hard to man-in-the-middle (MITM). First, all communications with the Telegram server using the Bot API uses HTTPS. You must authenticate the Telegram server by doing a proper certificate chain validation. Telegram both authenticates you and identifies you by checking the token you supply in your HTTP request. This token was given to you when you created your bot and must remain a secret.
In addition, you may also elect to receive updates via a webhook. This basically involves you running an HTTPS server using a self-signed certificate. However, you provide your certificate to Telegram over a secure mutually authenticated connection when you setup the webhook, so this eliminates the MITM threat. The Telegram documentation suggests a method you can use to verify that the connection is coming from Telegram.
CAVEATS:
I've never implemented a Telegram Bot, so this is just based on reading the Docs.
Simply because it looks secure to me after 10 minutes of study doesn't make it so. Since this is a unique protocol within HTTPS I would want to see some expert analysis before I'd be confident.
I understand that HTTTPS is secured and it requires SSL certificate issued by CA authority to make the application secure. But what I do not understand is that its in-depth difference with HTTP.
My question, as a user, if I make a request to an application with HTTP or if I make same request to HTTPS what is the actual difference? The traffic remains same to both. Is there any traffic filtering happening if I use HTTPS?
Thanks
HTTPS, as an application protocol is just HTTP over TLS, so there are very few differences, the s in the URL and some consequences for proxy, that is all.
Now you are speaking about the traffic and the filtering. Here you have a big difference because using TLS adds confidentiality and integrity: passive listeners will see nothing about the HTTP data exchanged, including headers. The only thing visible will be the hostname (taken from the https:// URL) as this is needed at the TLS level before HTTP even happens, through a mechanism called SNI (Server Name Indication) that is now used everywhere to be able to install multiple services using TLS under different names but with a single IP address.
I was wondering if there are any downsides to using HTTPS with HTTP Digest Authentication. I chose HTTP Digest because its fairly easy to incorporate for an api but its not the most secure because it uses MD5 and it is susceptible to Man in the middle attacks. Would combining HTTP Digest Authentication with HTTPS make a better solution or a bad one. I would greatly appreciate any advice. Thanks
Use of HTTP Digest authentication is definitely better with HTTPS as the encrypted tunnel is formed prior to sending the credentials. This (partially) negates the risk of MITM that basic auth and digest auth create.
Of course, if your system is built such that a client can accidentally hit an improper endpoint or still access it over HTTP (rather than just not listening on 80) then the credentials will still be transmitted insecurely.
HTTPS is widely used for security online. It offers security and integrity, but not authentication. To ensure the client is not talking to a man-in-the-middle, we have digital certificates and the PKI. It all works very well, except in the situation where the following criteria apply:
The server and client do not share a common, trusted root CA, therefore they cannot validate each other's certificates
Circumstances (eg. firewall, permissions, etc) do not permit the use of regular HTTPS protocol
The question is: can we still send secure, authenticated messages between the client and server, perhaps using Javascript?
Something along the lines of:
Client sends regular HTTP request to server
Server responds with page containing Javascript code
Client's Javascript asynchronously sends data to the server used to negotiate
Server runs some sort of script (eg. PHP) to establish the tunnel
Client and server communicate over the encrypted tunnel
I can see it being possible to send messages with security and integrity in this manner, but is it possible to authenticate without making use of the PKI, perhaps by exploiting the fact that the server can dynamically rewrite the Javascript sent to the client?
There is an issue in your step 2 - Server responds with page containing Javascript code :
how do you know someone sitting on wire is not modifying this Javascript since it is being transferred in plaintext? Basically, when X wants to authenticate Y, X should know something about Y- it could be public information such as public key/certificate or shared secret that it could verify
What makes https more secure than http?
The short answer is that https communication between your browser and the server are encrypted. While http traffic is sent in plain text. This means that anyone who can listen to the traffic can read it - this would include usernames and passwords). It also verifies the server to which you are connecting.
That it is encrypted. Read: en.wikipedia.org/wiki/HTTP_Secure
Anything not over HTTPS can be read by anyone snooping on your network.
Im quoting:
Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure identification of the server.
More information on TLS:
The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent eavesdropping and tampering. TLS provides endpoint authentication and communications confidentiality over the Internet using cryptography. TLS provides RSA security with 1024 and 2048 bit strengths.
Also, HTTPS verifies that the site is who it claims to be, if the certificates are correct (signed by a known CA).
All traffic is encrypted. No one on your network can see what is going on (except for knowing where those packets are going to).
The identity of the remote server can be verified using certificates. So you also know that it really is your bank that you are talking to.
Optionally (and not in wide-spread use), the identity of the client can also be verified using certificates. This would allow for secure login to a site using chip cards instead of (or in addition to) passwords.
I want to be really pedantic, as I'm a security nerd :)
HTTPS uses SSL, and it's IETF-ratified cousin, TLS. SSL/TLS can offer four security services:
1) server authentication
2) channel encryption
3) channel tamper detection
4) client authentication
Usually you'll get server auth for free, but only if the host name and the common name in the server's SSL/TLS certificate match. If they don't match your browser will warn you. You usually get the channel defenses for free too, but that's only because the server and client negotiate to require such defenses. In theory, but rarely in practice, a server and client could agree to not use one or more of the channel defenses.
Finally, client authentication is when the server wants you to present a certificate (actually, to prove you have an associated private key) to verify you are you. Client authentication is rarely used.