I know there are similar questions but I couldn't find something that answered my question.
When a new user registers (client - server) is there a common way of protecting these details when they are sent?
At the moment I am just concatenating the username-password-timestamp then sending as Base64 to the server over https.
The common and best way is https. Https already establishes a secure channel between the client and the server. You don't need anything more.
Please excuse me for the short answer. However if you really want the long answer then take a look at:
How to send password securely via HTTP using Javascript in absence of HTTPS?
Related
Narrowing down from a broad topic, i have a specific question (maybe a little bit 'tin-foil hat').
This question is regarding the best practices of securing data transmitted in a post request between the client and server. The background is a web app I'm developing to learn more about node and express js.
Although the example i'm using is for login credentials it really could be about any information being transmitted in a post request from a form submit to an express server.
example:
client submits form data through a button click event on the client. I'm using vue for the front end, but this is a generic question. On the client page i'm also using (inside an async function):
const resp = await axios.post("http://someurl.com/login", {client:email, pw:pw});
in chrome developer tools on the network tab i can see the request payload. In the example it looks like:
{client:"some email address", pw:"some password"}
Would it be better to transmit the payload already encrypted / encoded? Then have it decrypted / de-encoded on the server?
For transmitting sensitive information, is it better to use a signed cookie?
The plan, should i ever get through all of this is to use let'sEncrypt for HTTPS.
Is it reasonable to only rely on HTTPS for protecting this type of payload?
For reference, on the express server, password gets hashed and compared with a hashed version from a database. I've read about Helmet, and csurf and intend to use them in the final product as well. There's a lot of great information in this answer. Which is incredibly awesome and talks about the importance of HTTPS over HTTP.
Any additional references / thoughts / practical considerations are appreciated.
Using HTTPS will encrypt your payload between your client and the server.
Any javascript handling on the front end can be circumvented by users with enough knowledge so all frontend is mainly there for is to facilitate a better user experience. Password confirmation checking, correct fields filled out etc.
Your main source of security will be your eventual LetsEncrypt HTTPS certificate and your hashing and salting applied at the server end. As you correctly surmised HTTP send passwords in clear text which is bad. As a warning though even HTTPS can be defeated if somebody wants it bad enough with a number of techniques to high jack Certificate Authorities (I believe Root CAs should be offline anyway) or modify trusted certificates on a users PC.
Although it does depend on the amount of effort required by the hacker vs potential return hence the more you are trying to protect the greater the security required before it becomes not worth the effort for any potential hacker to attempt to circumvent the security of a particular site. (Reputation hacks aside of course)
Hope this helps.
I'm going to be setting up forums on my website. I will be using MyBB client. Do I really need SSL to protect my visitors username, password and email address?
Yes, it is best practice to use SSL when you are collecting information from users. If you don't all your data will be visible in plain text and if someone is sniffing the connection, they will see everything.
Do you need it to run a forum? No. But, since you mention you would like for protect your visitors' username, password, and email address (good on you), then I would highly recommend using TLS/SSL.
A more complete answer is provided here: Do I need SSL Cert for simple community site?
“Really need” is subjective. But SSL encryption is definitely a good practice – moreso now than when the question was originally asked.
I’m assuming you’re referring to TLS and not SSL, but SSLs ensure secure connections are established between your server and the user’s browser and all traffic is encrypted. Who wants passwords to leak?
The other important thing is that browsers now display warning signs to sites that don’t use SSL, so for the 90% of times that everything will be fine, your user left because they were warned that your site is unsafe. Google is also penalizing sites that don’t use HTTPS with lower search rankings.
I'm writing an API that will be hosted without SSL support and I need a way to authenticate the requests. Each client would have a different ID, but if requests were authorised with that, anyone with a packet sniffer could forge requests. Is it possible to make a secure system WITHOUT relying on SSL?
(Some thoughts I had included OAuth, could that be implemented?)
Many thanks
Have each client cryptographically sign its requests with a client-specific key. Verify the signature on the server.
Using cryptography pretty simple. The main challenge is setting up the clients' keys. It'll be hard to do that securely without using SSL. There's no information in the question about how you set up client IDs, so I don't know if it's secure enough to set up keys at that point as well.
It's also going to be a problem if you serve the client code without SSL.
But hey, it's just an API you're building. Maybe the code that interacts with it is served over HTTPS. Or maybe the code is stored locally on the client.
I feel like a lot of people are going to complain about this answer though.
I am thinking about writing a secure connection between a specific client and a specific server over HTTP. Of course SSL is the best and most obvious choice. But I keep thinking I could do the do the cryptography myself.
Note that this isn't about connecting any client to a specific server, but a specific client (e.g. a Java client app on my PC) to a specific server (my website hosted somewhere else). SO third-party certification doesnt seem necessary, since the server knows exactly which client to look out for and the cleint knows exactly which server to find.
If I want to upload a file from client to server. I could encrypt it manually (AES or other) and have the key hardcoded into the client app and also put in a file on the server, out of public view.
Please tell me if I'm crazy, stupid or pushing at windmills. Is my idea possible?
The short answer is, "No you can't." You can write some code that you think implements a secure connection, but actually it will be insecure. Designing and implementing a secure connection is a very skilled job; just see what a security consultant would charge you for doing that.
Since you are asking the question here, it is reasonable to assume that you are not such a person. Since you do not have the required skills and experience, anything you produce would be insecure.
Use existing standards where all the obvious errors, and a lot of the not so obvious ones, have been avoided for you.
Your idea possible, and really, if you just need to send file to specific URL, it would be easier to make a POST request with encrypted data (if URL/headers don't need to be secure for you).
Trying to roll your own replacement for SSL is a bad idea. Don't roll your own crypto. Instead, you should use SSL. It does what you need.
Given that you need to authenticate both the client and the server, you should use SSL with client certificates (as well as server certificates, which are standard).
I understand how ssl works, so the browser sends the username/password encrypted. But what happens next ?
Does the client receive a cookie ? Is it secure ? How does the server-browser communicate safely if the only https page is the login page ?
I think if someone get's a copy of that cookie when it's being sent, they can acces that account, no matter how encrypted is the cookie
Actually I want to understand the process from login to logout in a secure web application.
Server: Tomcat, Apache ...
Platform: java, php, ...
Thank you
If anyone else trips onto this: I found this Wikipedia article on Session Fixation and this SO Question very useful in answering this question, than the 90+ minute podcast from GRC (noted above) that is mostly related to SSL/TLS.
Episode 195 of the security now podcast deals with this topic in some depth. http://www.grc.com/securitynow.htm
You can either scan the transcript (which I would recommend to do first in order to find out, wether it answers your questions) or listen to the whole episode.