Need some help with HTTPS, certificates and signing - asp.net

I am quite new to HTTPS and can not get my head around it.
Can someone suggest good starting point for learning about HTTPS, certificates and signing?
Possibly with a working example in ASP.NET with IIS.

If all you are trying to do is have your site in HTTPS there is no code needed. All you need to do is set IIS to serve pages with HTTPS.
If that is all you want, you are better off asking this question in http://www.serverfault.com.
To get you started, here's a link on how to set https in iis 7: http://learn.iis.net/page.aspx/144/how-to-setup-ssl-on-iis-70/

HTTPS is just normal HTTP traffic that is encrypted using SSL/TLS. The protocol is fairly straightforward. I wrote a detailed blow-by-blow of what happens at the start of a connection on my blog: The First First Few Milliseconds of an HTTPS Connection.
It's unfortunate that the APIs built on top of the protocol are often much more complicated.

Related

Is http to https port forwarding a vulnerability?

I work in an organisation where a TMG server with port forwarding has been used successfully for a number of years to forward all http traffic to https for a particular web application. This meant that http or https would work on URLs for that web application.
Recently this was seen as a security risk and http is no longer being advertised. For users this has caused an issue where all the links they had which were originally http no longer work and they are having to update all their links to https.
I can't quite figure out what the vulnerability is, and if someone could shed some knowledge I would really appreciate it.
How I understand it, there are 2 paths http and https. The TMG server essentially acts as the gatekeeper that sits in front of the organisations network and forces all http traffic down the https route instead, so at no point is there any http traffic into the network.
Thanks in advance.
I used the security stack exchange site as suggested by Guy Incognito which provided great explanations. https://security.stackexchange.com
See my post here:
https://security.stackexchange.com/questions/234742/is-http-to-https-port-forwarding-a-vulnerability/234751#234751

Can we make HTTPS connection without SSL certificate?

I've some discussion with my colleague whether we can make HTTPS connection without using SSL certificate. I'm quite confused about this. Can anyone explain this?
It's not possible to do HTTPS connections without SSL. The way it works is complicated and as mentioned in the comments there is a great answer here.
But to summarize the reason why it's not possible:
HTTPS needs an SSL certificate, you can think of SSL as the S in HTTPS, since the secure connection is made using the certificate. A client sends a request to a server, they do a secure handshake (which requires the certificate in order to create and verify the keys) and then proceed to business as usual.
Any browser will throw a million red flaws if you try to circumvent this behavior. You could trick your own server to believe data is coming as HTTPS rather than HTTP in some cases (if you have control over it), but you won't be able to fool browsers.

Difference between HTTP vs HTTPS

I have one wordpress website, in that am getting lot of errors day by day. So I like to change my normal HTTP to HTTPS. So please can you explain it is very useful and secure for my website.
If your website does not have https in the web link this means that you do not have installed SSL. Most of the modern web browsers treat any website without SSL installed as insecure. This may be one of the reasons for your website's issues.
I found the following answers to the question of the difference between HTTP and HTTPS.
Difference between HTTP and HTTPS
To know about the reasons for using SSL follow the link given below:
Reasons for using SSL
10,000ft view...
http is an unencrypted protocol for sending and retrieving data from servers in a web browser (among other uses). https is the same protocol but wrapper in SSL, a security tool that encrypts communications between the browser and server. This is what what banks and other websites use to ensure your data (like financial info) is protected when sent to your browser and cannot be read by someone on the same network.
Checkout articles like this and google the topic for more info.
Hope this helps.

asp.net webservice security without changing client side

we need to protect our webservices with SSL (https) or any other security mechanism. Our problem is that current clients (delphi exe's) have references to our http webservices fixed in code and can not change that code.
I've tried to implement URL redirection rule from http to https but that didn't work because of the "hand shake"...Changing client to use https reference did work but saddly we can not do that for every client.
I know this question is in contradiction with encription theories but i'll fire this question anyway if anyone has any type of suggestion/idea to at least make connection or data transfer more secured (either with or without SSL protocol) without changing client side.
Thanks,
Luke
You need some kind of transparent TCP tunneling software/hardware on the clients, so the encryption occurs without the delphi clients noticing it.
My Google search using "transparent encrypted tunneling" keywords got this vendor of such solutions. There's must other vendors with similar solutions.
This is really an networking question.
PS.: hardcoding the URL is the real problem here. After the tunneling palliative is done, change that because this really will cause more headaches in future.
The client will be connecting over a port (non SSL) that will need to remain. What you could possibly do is that if you allow access both http and https you could possibly only allow http from specific IP addresses if you know them? its still not secure, but least you know where the calls are coming from and can do something about that?

A proxy that acts as a man-in-the-middle between my tool (which only supports http) and https sites?

I've got a tool which I need to use with a https site, but it only supports http. I need some kind of proxy tool that can work as a man in the middle between my tool and the https site, making the requests seem like http to the tool. The connection would look like this:
Tool -> HTTP -> Proxy -> HTTPS -> Site -> HTTPS -> Proxy -> HTTP -> Tool
Does anyone know of a tool or something I can set up that will work for this purpose? I've already asked in a few IRC channels and searched Google, but I was honestly not sure how to word it when searching Google, and not sure which channel to ask in via IRC.
Any help would be greatly appreciated!
Fiddler (www.fiddler2.com) has this capability; you can change the URL from HTTP to HTTPS on the fly.
Try cUrl. If your tool works with stdin/out, You can pipe your tool's stdin/out through curl. Also there is the library (libCurl) that you can use from within your code, if needed.
WebScarab might do it for you. It can act as a man-in-the-middle and you can alter requests on the fly.
Got any objection to an entire copy of Apache httpd with mod_proxy operating as a reverse proxy? Plausible instructions here.
"Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code."
There is also a guide on their site to wrap HTTP requests with Stunnel.
Looks like this SSL MITM proxy can do exactly what you're asking.

Resources