1: What are benefits of using HTTPS over HTTP?
HTTPS means that you tunnel the
HTTP protocol over TLS/SSL which encrypts the HTTP payload. So the benefit is that HTTP requests and responses are transmitted securely over the wire, e.g. your Internet Service Provider does not know what you're doing.2: How to use HTTPS?
Enable it at your endpoint, in general a web server in front of your application server. Most web servers (e.g. IIS, Apache) support this by configuration. Depending on your confidentiality requirements this may not be enough.
3: Can we use HTTPS for only login purpose and then onwords HTTP?
Technically this is possible, but it introduces some security risks. Example: After a secured login you transmit session IDs identifying the user. If you transmit those session IDs unsecurely (no SSL), session hijacking becomes a risk ('man-in-the-middle')
4: What settings needs to be done for making website HTTPS?
See #2. In public internet scenarios you should request (buy) a certificate from a certain Certificate Authority (CA), so that end user clients can verify whether they should trust your certificate.
5: Is there any threat present in HTTPS?
In the protocol itself there is a slight risk of man-in-the-middle attacks. E.g. a proxy between the client and server could pretend to be the server itself (this requires a successful attack to network infrastructure, e.g. DNS). There are several other 'more obscure' risks that do not relate to the protocol itself, e.g.:
- usage of an outdated encryption key length (e.g. 256 bit)
- loss of private keys or unappropriate key management procedures (e.g. send via unencrypted email)
- certificate authority failure (just look at press releases in 2011)
6: Is processing time required for HTTPS is greater than HTTP?
Yes, key negotiation (handshaking) requires a lot CPU capacity.
7:Difference between Https and Http?
| HTTP | HTTPS |
| URL begins with “http://” | URL begins with “https://” |
| It uses port 80 for communication | It uses port 443 for communication |
| Unsecured | Secured |
| Operates at Application Layer | Operates at Transport Layer |
| No encryption | Encryption is present |
| No certificates required | Certificates required |
8>How to enable Https in web application ?
First Create *.keystore and *.truststore file
1> cmd--> enter--->cd.. --->enter--> go to C:\\ drive -----> cd Copy "C:\Program Files\Java\jdk1.6.0_31\bin" after then pest here.---> enter----> after then step 2
2> keytool -genkey -keystore "kartik.keystore" -alias "give Computer Full Name here" -keyalg RSA
Enter keystore password:kartik
choose a password: kartik
What is your first and last name?
[Unknown]: 172.30.70.53 //if you have any domain name mention domain name here
What is the name of your organizational unit?
[Unknown]: Development
What is the name of your organization?
[Unknown]: Tarang
What is the name of your City or Locality?
[Unknown]: Bangalore
What is the name of your State or Province?
[Unknown]: Karnataka
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN=172.30.70.53, OU=Development, O=Tarang, L=Bangalore, ST=Karnataka, C=India?
[no]: yes
Enter key password for
(RETURN if same as keystore password):kartik
choose a password here I give password: kartik
3>After than creat a kartik.keystore file with in this location like C:\Program Files\Java\jdk1.6.0_31\bin
4>After than go to server side and take this "kartik.keystore" and open this same command promt.(optional bellow 4 i)
4 i>keytool -importkeystore -srckeystore kartik.keystore -destkeystore kcm.p12 -deststoretype PKCS12
4 ii> for Jar file sign
jarsigner -keystore kartik.keystore -signedjar sCount.jar Count.jar KARTIK-PC
5> keytool -export -keystore kartik.keystore -storepass kartik -alias KARTIK-PC -file kartik.cer
6> keytool -import -keystore kartik.truststore -storepass kartik -trustcacerts -alias KARTIK-PC -file kartik.cer
First Create *.keystore and *.truststore file
1> cmd--> enter--->cd.. --->enter--> go to C:\\ drive -----> cd Copy "C:\Program Files\Java\jdk1.6.0_31\bin" after then pest here.---> enter----> after then step 2
2> keytool -genkey -keystore "kartik.keystore" -alias "give Computer Full Name here" -keyalg RSA
Enter keystore password:kartik
choose a password: kartik
What is your first and last name?
[Unknown]: 172.30.70.53 //if you have any domain name mention domain name here
What is the name of your organizational unit?
[Unknown]: Development
What is the name of your organization?
[Unknown]: Tarang
What is the name of your City or Locality?
[Unknown]: Bangalore
What is the name of your State or Province?
[Unknown]: Karnataka
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN=172.30.70.53, OU=Development, O=Tarang, L=Bangalore, ST=Karnataka, C=India?
[no]: yes
Enter key password for
(RETURN if same as keystore password):kartik
choose a password here I give password: kartik
3>After than creat a kartik.keystore file with in this location like C:\Program Files\Java\jdk1.6.0_31\bin
4>After than go to server side and take this "kartik.keystore" and open this same command promt.(optional bellow 4 i)
4 i>keytool -importkeystore -srckeystore kartik.keystore -destkeystore kcm.p12 -deststoretype PKCS12
4 ii> for Jar file sign
jarsigner -keystore kartik.keystore -signedjar sCount.jar Count.jar KARTIK-PC
5> keytool -export -keystore kartik.keystore -storepass kartik -alias KARTIK-PC -file kartik.cer
6> keytool -import -keystore kartik.truststore -storepass kartik -trustcacerts -alias KARTIK-PC -file kartik.cer
for web application in server.xml file
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<Connector SSLEnabled="true" clientAuth="false" keystoreFile="D://Certificate//Certificate//kartik//kartik.keyStore"
keystorePass="kartik" maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<Connector SSLEnabled="true" clientAuth="false" keystoreFile="D://Certificate//Certificate//kartik//kartik.keyStore"
keystorePass="kartik" maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>
I am Kartik Chandra Mandal from Bangalore, India. Working as software engineer in Java technology. Have good knowledge of OWASP and CSRF in security for applications and it's implementation in Java technology.
1 comments:
Click here for commentsIts awesome kartik. Keep it up