Web Security Web Security

Challenge 9: Solution

Check out a free preview of the full Web Security course:
The "Challenge 9: Solution" Lesson is part of the full, Web Security course featured in this preview video. Here's what you'd learn in this lesson:

Mike walks through the solution to Challenge 9.

Get Unlimited Access Now

Transcript from the "Challenge 9: Solution" Lesson

[00:00:00]
>> Mike North: So we're gonna learn how to defend against man in the middle attacks by installing a certificate in our app and serving our site over https instead of plain http.
>> Mike North: So what we will end up doing, I'm just gonna copy this little bit of text here, we will need that in a moment.

[00:00:21] Go over to our app, and I can delete this, that was just our demo for making subresource integrity. We go into index.js and I'm just going to find out where http is used. I could just do it right here. Or you know what? I actually think it's in a different file, crap.

[00:00:46] Yep, there it is. index.js, not serverindex.js. So we've got this http here. We're gonna basically replace it with https, so we can just go ahead and add that here. I'm gonna carry this with me as we find where that was used. Should be a little red squiggle now because we don't have that defined anymore.

[00:01:13]
>> Mike North: There it is, http create server. So here's our new method for creating a server with https. We don't want this anymore. And we've got a file name and we've got a key, and then the key passphrase. So, all that's left is for us to generate a certificate.

[00:01:33] So let's go through those openSSL commands. So first, generating the secure key.
>> Mike North: Did I do something wrong? Maybe I flipped this. Turns out pasting multi-line is not nice. Okay, so now we're being asked to enter a passphrase. This, private keys are not something that you want to store in their unencrypted form.

[00:02:07] You basically want this to be locked with the password, symmetric encrypted. It's like it is half of a public key encryption key pair and we're going to symmetric encrypt this so that any time we wanna use it we must provide the pass key in order to use it.

[00:02:23] That means that if someone gets a hold of this file, they're basically gonna have to work really hard to open it up. So I'm gonna create a super, super safe password.
>> Mike North: Okay, so enter it again. All right, so now we have our key, and I'm gonna put that here.

[00:02:42] I'll build the path for that, so this is the proper way to do it in node.
>> Mike North: I'd do something like this.
>> Mike North: Or there's __dirname plus my, sorry comma separated my private key. So there we've got our path. And for a passphrase, I'm actually not going to commit this into my GIT repository.

[00:03:20] That would be a bad idea. What we're going to do here is pass this in as an environment variable. And that will mean that we can set that up on our production machines, whoever needs to know about it, but our source code is not gonna deal with this.

[00:03:34] So maybe our developers don't even have access to this private key. They probably shouldn't. And the SRA team, maybe only one or two people would have the ability to actually read this thing. Only the server that's running should be able to grab this. And if you work for an Internet scale company, like LinkedIn, I'm not sure, I don't think anybody has the ability, possibly at the executive level, they could grab the private key.

[00:04:01] But everyone else just refers to it in an abstract way and when our production apps have been up like they are gravid programmatically from something that manages the keys, right? So you don't want human hands touching this.
>> Mike North: We'll just call it passphrase. So now we need to generate a certificate.

[00:04:26] For that we need a public key. And I will get rid of these slashes in a moment.
>> Mike North: The private key's password. We need to enter this anytime we use it.
>> Mike North: Okay so now I've got my public key. We can look at what these look like. Here's my encrypted private key and you know that it's encrypted because you see this.

[00:04:57] If it weren't encrypted that word encrypted would be missing. Public key is not encrypted. Anyone can use this right? This is out there for the world to use. It is for creating messages only that the server can read. So there's the public key. No the encrypted word is not present.

[00:05:14] So now we will copy this. Use it for the cert as well. I think, we don't have a cert yet. One last step. Let me close all this. We don't need it anymore. So generate the certificate signing request. That's the next step. And this requires entering some additional information, where we would say, passphrase.

[00:05:43] Okay, so now. If you ever wondered where all the information when you look at a certificate, where all that comes from, this is it. This is where you enter the name of your business and the name of the server that you're looking to align with to name the certificate so it works for a particular domain.

[00:06:00] All of that happens now. So I'll say we're from the US. Our state is,
>> Mike North: Anyone know where Equifax is?
>> Mike North: State of confusion. We'll leave this out. Organization name, so [LAUGH] Private Data Disclosure Division
>> Mike North: Common name, so this is where we'd wanna do something that relates to our domain name.

[00:06:34] So see where it says FQDN? That's fully qualified domain name. And in this case, let's call it equihax.lvh.me. Because lvh.me is the wildcard domain we can use for localhost. We're gonna use this so that we can see like that, hey, it works for one domain. Here's a warning that we get when we try different domain.

[00:06:58] Email address.
>> Mike North: And challenge password. So we're not gonna add a challenge password to this certificate signing request. You would add this if you were sending it over a connection that you didn't trust and maybe the certificate authority would say here, use this challenge password to encrypt your CSR.

[00:07:25] We're not gonna bother with it, it is not as necessary to put it here as it would be on the private key.
>> Mike North: Okay, so now we've got our certificate signing request, and that's this thing here. Again, not readable.
>> Mike North: And the last step here is to generate, to sign that certificate and finally our certificate will end up being created.

[00:07:48] So delete all these new lines. We're gonna say days one instead of three. All right, and this should work. And it didn't, what's wrong? There's the key, there's the out, myrequest.csr that looks right. What are you complaining about openSSL? Unknown option myrequest.csr.
>> Mike North: That looks right, and there's definitely an in argument, is there not?

[00:08:27] There it is, in arg. Let's get rid of this, make sure I don't have a new line.
>> Mike North: Odd.
>> Mike North: So
>> Mike North: I'm just looking for other ones that I have run, just to see what those commands look like.
>> Mike North: Looks right. OpenSSL x509.
>> Mike North: Okay. Let me just check my file names one more time.

[00:09:45]
>> Mike North: My private key. My certificate there, my request.csr.
>> Mike North: Nope.
>> Mike North: All right. Days three.
>> Mike North: Come on now.
>> Mike North: Let's just try a part of the command. You need a private key to sign with obviously.
>> Mike North: Hm.
>> Student2: Is your private key there?
>> Mike North: It's right here.

[00:10:42] [CROSSTALK] You know what? No, I just created the CSR, it's just not giving me very useful output.
>> Mike North: There it is. Okay, what's the error message? Unknown option req. That was the one where I took the dash off, that I shouldn't have done.
>> Mike North: Okay, unknown option my-restquest.csr.

[00:11:14] I've got in, the input file, out is the output file.
>> Mike North: Actually this, that was the full command there.
>> Mike North: Unknown option my-request.cxr, which is there after in.
>> Mike North: I must have updated a version of my library or something.
>> Mike North: Let's try this. Maybe it's sensitive to order.

[00:12:16]
>> Student2: I pasted in what I used and what worked in the chat.
>> Student2: It looks exactly like what you've been doing but.
>> Mike North: Can you check your version?
>> Student2: Yeah.
>> Mike North: There is no version command on OpenSSL. Not user friendly, indeed.
>> Student2: Space version.
>> Mike North: There we go.

[00:12:57]
>> Student2: Yeah, we're on the same.
>> Mike North: [LAUGH] What? Okay, let me try hand creating this openssl x509 -req -in and then my-request. And then signkey, my.private.key, out my certificate.crt-days 1.
>> Mike North: Dear lord, that looks like exactly what I was typing. All right, we'll have to look at the instant replay on that but whatever.

[00:13:37] So passphrase for the private key. And we have created our certificate, here it is. So you'll note that if you get a certificate that is from a real certificate authority that signs this. You may get more than one file. You will usually get any intermediate certificates that you need in order to build what is called the whole trust chain.

[00:14:03] So you wanna see often times it is not really the trust root that signs your certificate. It would be an intermediate certificate authority signs your certificate, and it's maybe trusted by another intermediate authority, and then maybe that is trusted by the root. They really don't like to use the root to sign every certificate, simply because if something goes wrong, if something gets out, they have a lot of clean up to do, right?

[00:14:30] And so, if they want intermediate authorities that expire in a shorter period of time and that way you can manage this kind of stuff more easily. So, now we've got my private key and my certificate.CRT. And we should be able to start this up and see what happens.

[00:14:56]
>> Mike North: Okay, so now, oop. Anything wrong? No startlet, okay. So what we've done here is we've started here without providing that environment variable. https, this node module could not read my key. So I'll add my super secret passphrase.
>> Mike North: Don't tell anybody.
>> Student2: I had that same error.

[00:15:20]
>> Mike North: And it didn't work.
>> Mike North: God, it's so silly. I think.
>> Student2: So I just shoved my passphrase right in there.
>> Mike North: Into that?
>> Student2: Yeah, and I still had that funny error.
>> Mike North: Really strange.
>> Mike North: So server options.
>> Mike North: Clearly takes the passphrase, that's a string. It's got a cert and a key.

[00:16:16]
>> Mike North: Okay, so we've got my certificate just to double check, my-certificate.crt, my-private key is there. Honestly, I don't see any reason why this shouldn't work.
>> Mike North: Set cert.
>> Mike North: It cannot read that key for some reason. Okay, so we'll have to leave this as the last little bit of the solution that you'll look at the video course for and check out the commit for the solution on this.

[00:16:59] This is in general what you have to do. I for the life of me cannot understand what's going on here. So, it should be passphrase like that, but it is probably like a slightly different openSSL command to put the key in the right format that the server wants.