Web Security Web Security

Challenge 9: Defend Against Man-in-the-Middle Attack

Check out a free preview of the full Web Security course:
The "Challenge 9: Defend Against Man-in-the-Middle Attack" Lesson is part of the full, Web Security course featured in this preview video. Here's what you'd learn in this lesson:

In this challenge, students generate a private, serve the course demo application over HTTPS, and add a certificate to OS's trust store.

Get Unlimited Access Now

Transcript from the "Challenge 9: Defend Against Man-in-the-Middle Attack" Lesson

[00:00:00]
>> Mike North: You're gonna generate an RSA private/public key pair. Don't worry about the 2048 that was in the first command on the last page. So make sure it's valid for one day. And then if you look in the server/indexjs file, you'll see that there's a point where we're using a module, Node module called HTTP.

[00:00:23] We're gonna use HTTPS instead, and you're gonna create a server that looks kinda like this. So you're gonna swap out the plain HTTP thing that the server is using for this, and then add the certificate to your operating system's trust store. And I've got links for various Windows and OS X hints for how one would go about doing that.

[00:00:46] Make sure you keep it short. Good idea when using development certificates, only a couple days. They're easy to remake, but if one gets stolen, you want to know that your risk is closed in terms of time. You can always untrust, but you'll never remember to do that.