in the last week I thought about converting my private Steem-Node to a public one and faced a problem: I do not like to do provide an unsecured service! So I would like to secure the Webservice API which can be done with SSL. To do so, a so called SSL certificate is required which can cost up to 300$ per year if you buy one.
To be honest, for me, that isn’t worth it from my point of view – But there are some alternatives out there which allows you to secure your webservices with SSL for free and thats what this small tutorial series will be about: In this part we will clarify some SSL basics so those of you who don‘t know how it works will learn it. The next part will show:
- Two different ways how to get a free SSL certificate for your webservice
- What limitations are there
- And how to actually add it to an Apache webserver
So lets get started!
What is SSL?
Secure Sockets Layer (SSL), or Transport Layer Security (TLS) how it is called nowadays, is a protocol that allows you to send your data in a secure way through the network. This is achieved by encrypting the data before sending it.
How does it work
On your first request to the Server the Server replies with a Certificate. This certificate contains some required information about the way the data should be encrypted. The clue is, that beside those information a “Certificate Authority” (CA) is delivered that has created this certificate. All your machines and applications contain a bunch of CAs that they trust by default. So if the delivered certificate has been created by one of the known and trusted CAs, your apps will trust this certificate. After those steps your communication is encrypted.
To be honest with you, the process is a little bit more complex, but the lines above should be enough to understand the basics. For those who want to know more I’ll just link a more accurate diagram below:
SSL Certifacte types
If you want to order an SSL certificate for your webservice you will be asked which certificate type you want to buy:
- DV Certificate
- OV Certificate
- EV Certificate
Those different types will be explained in the next chapters.
DV is the acronym for „Domain Validated“ and DV certificates are the most common type of certificates. This kind of certificates contain an email address and verify that mail address with the WHOIS record of your domain. It basically makes sure that the requested domain is owned by the party that requested the certificate.
OV means “Organisation Validated” and those certificates require additional validation. Beside the DV validations also the name of the company is stored in the certificate. Due to that, you can make sure you are communicating with corrent webservice and the correct company.
The maximum amount of trust can be achieved with “Extended Validation” (EV) certificates. The certificate request will require a lot more information than an email and the company name. The benefit of those certificates is that they will enable the “Green Bar” in your browser, that shows your customers that they can trust this site:
Why is SLL so important?
To answer this question we will use an example: Lets say I am sitting in a restaurant, use a public wifi and communicate with a web service via http.
In this scenarios two pretty basic attacks can be performed:
- Basic man in the middle attacks
- Packet sniffing
Man in the middle attacks
Lets say the service that I am using is http://www.bittrade.eu, but the dump idiot @dez1337 forgot the renew his domain and someone else bought it. This guy copied the service so I’ll see no difference and enter my Steem-Private-Keys there. After some days I miss some Steem on my account.
You have to be aware of the fact that everyone in the same network can read every single package you send by using pretty basic tools like wireshark.
Without encryption everyone else in the restaurant is able to read the data like formula inputs that I’ve send to the webservice. This becomes pretty critical If I would provide my Steem-Keys for example.
SSL to the rescue
The basic SSL/TLS features protect me for both kind of attacks by encrypting the data and verifying the host. Those features make SSL/TLS quite important and if your service handles critical data it is also a must have.
That’s it for today! Stay tuned for the next part where will do some hands on – So make sure you will not miss it by pressing the button below :)
Thanks for reading and best regards!