I am developing an application using IOS/Andriod/Angularjs for client site and Nodejs for server site.
I want encrypt file transfer between client and server for security.
For file transfer between a client and server use HTTPS (TLS 1.2). Everything but the address portion of the URL will be encrypted.
To avoid any MITM attacks you can pin the server certificate in the client.
You can do no better security wise than using HTTPS.
Related
I would like to build a user management system.
I think it's not secure to send user's password from browsers to servers over HTTP.
But I'm not sure if it's secure to send message to servers over HTTPS.
Whether the password can be attack if using HTTPS
Thanks
I have a web service that exposes data via HTTPS.
for example: https://www.sito.it/api/users?acces_token=sfkjsdbhfskjdb
suppose I have to query this web service from an app (android or any other platform).
if someone intercepts traffic between the server and the app, can they see the acess_token?
or not because everything is encrypted by HTTPS ??
When a secure connection is established between client and server, all the info about the connection (headers, parameters) is encrypted, so only emisor and receptor can see it.
What you have to take care with is not to have any intermediate proxy in a secure connection between client and server.
Click here for a much more extense and detailed explanation.
As the title explains, I want to see the http requests that are sent by my android app client to my Jersey Web service.
Also, I'm using
https://github.com/kevinsawicki/http-request
class for sending the requests, but I'm not sure if they are SSL encrypted. Can I see if they are encrypted by looking at the http requests that arrive at my Web service?
If you have access to the server on which your web service is running, you can use Wireshark : https://www.wireshark.org/
This will trace and decode the tcp/ip protocol for you, and indeed show you if it's encrypted under SSL.
Assuming you own the server, and have full access, you can also install the Private Key from your server into Wireshark, and it will then show you decoded SSL traffic.
HTTPS is widely used for security online. It offers security and integrity, but not authentication. To ensure the client is not talking to a man-in-the-middle, we have digital certificates and the PKI. It all works very well, except in the situation where the following criteria apply:
The server and client do not share a common, trusted root CA, therefore they cannot validate each other's certificates
Circumstances (eg. firewall, permissions, etc) do not permit the use of regular HTTPS protocol
The question is: can we still send secure, authenticated messages between the client and server, perhaps using Javascript?
Something along the lines of:
Client sends regular HTTP request to server
Server responds with page containing Javascript code
Client's Javascript asynchronously sends data to the server used to negotiate
Server runs some sort of script (eg. PHP) to establish the tunnel
Client and server communicate over the encrypted tunnel
I can see it being possible to send messages with security and integrity in this manner, but is it possible to authenticate without making use of the PKI, perhaps by exploiting the fact that the server can dynamically rewrite the Javascript sent to the client?
There is an issue in your step 2 - Server responds with page containing Javascript code :
how do you know someone sitting on wire is not modifying this Javascript since it is being transferred in plaintext? Basically, when X wants to authenticate Y, X should know something about Y- it could be public information such as public key/certificate or shared secret that it could verify
Can client certificates be used for authentication without HTTPS, only over HTTP on Windows IIS platform with ASP.NET ?
I need to authenticate a client using a digital certificate and i can't use HTTPS.
No you can't, at least if the client is a web-browser. Moreover, it doesn't have any sense.