I work at a university and have recently started managing our CAS(SSO) server. Many applications we own use the CAS protocol and are at subdomains we own (app1.univerity.edu, app2.univerity.edu). CAS supports wildcards in the resolution of allowed URLs. I realize it would not be secure to allow all URLs (*), but if my university owns university.edu, is it secure to allow all subdomains (*.university.edu)? Is there any way an attacker could exploit the server if my university owns the domain?
Related
Vendor has developed a website, which currently sits within enterprise managed Amazon Web Services (AWS) environment. However the vendor owns the domain name of the website.
The site is an ecommerce platform which allows users to submit personal information for the purchase of insurance products.
Would like to know if it is technically possible for the domain owner to redirect form submissions to a different server (without the enterprise knowing about it). Thank you!
It's possible.
As vendor owns the domain name, it can easily deploy a proxy server and resolve your website domain name to that proxy.
In this way, the proxy can intercept all user requests, do whatever it wants, before sending the requests to the real server (your server).
Essentially, this is a Man-in-the-middle attack:
a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
I have a SAAS application on node express. The app creates tenant sub-domains for each sign up like mybiz.ourgreatapp.com.
We want to allow the users to point a custom domain at that account/url, ie a domain they have bought.
somedomainibought.com---->mybiz.ourgreatapp.com
We also need that domain to be HTTPS.
Uur domain, and wildcard sub domains are SSL.
So: https://mybiz.ourgreatapp.com: works.
We have tried to solve the problem using https://www.cloudflare.com which works for our sub-domain routes but we can't set it up to use customers domains and point them at those routes.
How can we achieve this?
To create certificaes for different domains
You need to solve 2 problems:
that your customers should point their domains to your IP/domain in order to use your service. Solution for it: you can create a dedicated domain like cname.ourgreatapp.com. If customer wants to use his own custom domain - he should point his domain (in 99% cases it will be customer's subdomain) to your CNAME. In 1% cases when customer would like to attach domain - better to provide also public IP for such customers. As not all DNS providers support using CNAME for 1st level domain
that you need to issue certificate for the customer. When you issue a certificate, you must prove your rights for this domain (different certificates authorities provide multiple options in order to do it). Luckily when you already have a customer who already pointed to your CNAME - you can use "HTTP validation type" (when you should provide specific text at some URL and CA verifies that secret value is there by doing GET request. For example, free LetsEncrypt certificate provider will verify specific value at the URL customersdomain.com/.well-known/acme-challenge/)
This second step I suppose is too heavy to be handled by your node-express application. Better to extract SSL-signing logic to a separate layer, even to a separate micro-service.
In order to automate this process, you can create a service which will request SSL for all your customer's domains (for example by implementing ACME protocol, requesting certificates from LetsEncrypt). And setup proxy server which will proxy requests from all customer's domains, getting data and signing the responses with proper certificates.
Also you can check third party solutions which already do this from the box. For example, Kilo SSL, Cloudflare etc. I didn't try doing it with Cloudflare yet, but just checked that it's easy to do with KiloSSL
You can set up a reverse proxy (using nginx for example). Configure a virtual host with server name somedomainibought.com that does a proxy pass to https://mybiz.ourgreatapp.com/. Configure this virtual host to use ssl and listen on port 443.
Then, the Zone file for the domain somedomainibought.com must be configured with an A record pointing to the IP address of your reverse proxy.
One great advantage of using Azure Websites is that I can get secure HTTP (HTTPS) without doing nothing: I simply type https://xyz.azurewebsites.net and it works. I don't have to worry about certificates because I use the subdomain that Azure gives me (in the example it would be xyz)
So, what I usually do is that people come by through some registered domain I have, eg. http://www.my-application-homepage.com, and there, if they want to use my application, I redirect them to the subdomain at azurewebsites.net, using HTTPS.
Now, having said that:
I'm in need of upgrading to Azure Cloud Services or Azure Virtual Machines, because these have capabilities that Azure Websites don't . These two also offer a free subdomain: xyz.cloudapp.net, but my question is: will I get HTTPS there too? and how?
I searched in google for some cloudapp examples and what I tested was the following:
1) Connect through HTTP (ie. type http://xyz.cloudapp.net). Result: worked
2) Connect through HTTPS (ie. type https://xyz.cloudapp.net). Result: didn't work (chrome gave ERR_CONNECTION_TIMED_OUT)
No. HTTPS is not offered for .cloudapp.net domain as of today. Also since you don't own .cloudapp.net domain, I don't think you can buy a SSL certificate for that. If you want you could create a self-signed certificate and use that.
I would walk through the documentation listed here:
http://azure.microsoft.com/en-us/documentation/articles/cloud-services-configure-ssl-certificate/
Since you're getting a timeout with HTTPS (rather than a certificate error), check that you have a HTTPS endpoint defined in ServiceDefinition.csdef.
Additionally, be aware that the redirect-to-subdomain approach isn't much more secure than using a self-signed certificate. The reason browsers reject self-signed certs is that they are vulnerable to spoofing attacks: a user can't detect if an attacker has, for example, hijacked the DNS to point to his IP address instead of yours, where he hosts a facade of your site that just collects passwords or whatever.
In your scenario, the cloned site could redirect to another a second clone, one that is a facade of your cloudapp.net site. It could be even be secured with the attacker's SSL certificate. Unless the user was trained to recognize the host name of the real cloudapp.net, she wouldn't know she was on the attacker's "secure" site.
** Update: This method is not valid as well, we got the certificate revoked after one week using it **
We use this approach for staging/dev servers:
If you don't want to use a self-signed certificate, one option is to purchase a cheap SSL certificate, e.g.:
https://www.ssls.com/comodo-ssl-certificates/positivessl.html
Then once you need to approve it you have to ask support to change the approver validation process: instead of sending an email to a admin#mydomain.cloudapp.net you can ask to change the validation process to placing a given file with a given file in the root of your website (you have to ask in the support / chat room about that option).
More info:
https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/791/16/alternative-methods-of-domain-control-validation-dcv
Let's suppose I have a web application that is accessed externally via http://webapp.mydomain.com and internally via http://webapp.intranetservername/
Do I need two SSL certificates? Or can the same SSL certificate be used?
You will need two SSL certificates, and the one for the intranet server will have to be self-signed, because certificate authorities are prohibited from signing certificates for internal domains (as there is no way to verify ownership of such a domain).
It is ordinarily possible to create a single SSL certificate that is valid for multiple domains (by using the Subject Alternate Name extension). However, again, a CA cannot sign one unless they can validate all of the domains it claims to be valid for.
In principle, you can have have a single certificate with two Subject Alternative Names for webapp.mydomain.com and webapp.intranetservername. In practice, that's not realistic, since no CA will issue something to .intranetservername, unless it's also a proper public domain name.
Generally speaking, if .intranetservername isn't a registered domain, no CA will issue a certificate for it, so you will have to use your own CA anyway.
If you can expect both types of clients (internally and externally) to trust your own CA, you could of course issue a certificate with two SANs with this CA.
If you expect different types of users (trusting only the default bundles of CAs or trusting your CA too), you'll have to use two certificates, one issued by each. You may also need to bind them to separate IP addresses (but availability of an extra internal IP address on a LAN isn't necessarily a problem).
More fundamentally, is there any good reason why you're calling the same web application, running on the same machine, by two distinct names, whether you access it internally or externally? Why can't people within the intranet talk to webapp.mydomain.com?
I presume this may be an attempt to increase security somehow, but if it's the same machine, it will be on both networks anyway, so I'm not sure what security improvement this name separation brings.
If you really want separate names, you could have them both on your external domain (e.g. webapp.mydomain.com and intranet.mydomain.com), and have a certificate issued by a well-known CA for both (I'm still not sure about the advantage of separating the names on the same machine, though). Indeed, certificate validation is only based on the name, and you can easily have your DNS servers point intranet.mydomain.com to a private IP address (e.g. 10.1.1.1). People from the outside won't be able to access that address, simply because it won't be routed, but it will work fine within your intranet (provided machines on the intranet are able to make DNS requests, some environments block this).
You will need two, since the SSL certification works on domain name, and you have two domain names there.
You could use the same on both, but there would be an error message displayed in most browsers warning users that the cert was not authentic.
You can get around the cost implication of having to register both with Verisign by self-certifying the intranet site, and distributing the self-cert to all of your employee browsers.
Depending on the size of the enterprise and number of users which will access "webapp.intranetservername" this may or may not be cheaper and easier than simply regging both domains with Verisign.
I have a site that lets users create subsites and use their own domain with the subsite (kinda like Posterous). I'd like to use SSL to protect user logins on the subsites and I only want to use one SSL certificate. What's the best way to do this?
I know that one solution is to have the login page on each subsite be HTTP but then POST the subsite login form to one central HTTPS url on the main site. I also know that this is not as secure as serving the whole login page using HTTPS because you're vulnerable to man-in-the-middle attacks. Is there a better way?
If it helps, each subsite can be accessed at subsite.mainsite.com in addition to the custom url (subsite.org, or whatever they choose).
Update: a wildcard cert won't work for me because it only works for subsite.mainsite.com but I need it to also work for subsite.org. Also, I need to be able to secure new domains as new sites get created so the solution must be able to handle that (e.g. it cannot require that the domains to be SSLed are known in advance).
What you need is a "Wildcard SSL certificate" for subdomains. If you want several main domains to be covered by one certificate, CAs offer multiple domain certificates. See InstantSSL offering and other CAs have similar.
So called Wildcard Certificates, while more expensive are valid for *.domain.com; e.g. http://www.rapidssl.com/buy-ssl/wildcard-ssl-certificate/