Lab 4: HTTPS and Encryption Techniques

Questions and Answers

What is the primary purpose of implementing HTTPS in the web application?

To secure communications and validate the server (correct)

To increase the website's loading speed

To enable user-specific verification

To change the server's IP address

What does TLS validate during the communication process?

The server's identity (correct)

The encryption method used

The client's identity

Both the client and server's identities

Which of the following is true regarding client validation in HTTPS solutions?

Clients must always be validated to use HTTPS.

Only clients with a CA-signed certificate can connect.

Client validation is optional and typically not needed. (correct)

Clients are always automatically validated.

What method is suggested for client authentication after a TLS handshake?

Username and password combination

In which scenario is it most important to validate the client's identity?

When sensitive data is being transmitted

What kind of certificate will be used for converting the existing website in the lab?

Self-signed certificate

What kind of encryption is implied to be used for enhancing security in web communications?

TLS encryption for secure channels

What is the purpose of modifying your system to use your RULE host as a DNS server?

To enable browsing to the four unique web sites hosted on the RULE server.

What needs to be configured on the rule host before modifying the web site to use HTTPS?

Initial setup for the four web sites must be complete

Where can you find the hosts file on a Mac or Linux device?

/etc/hosts

What type of certificate must be created for the Pass Task to protect the specified HTTPS site?

A self-signed certificate

Which key does the server application use to encrypt communications with the browser?

Private key

Which statement about the use of key pairs in establishing an encrypted channel is correct?

The browser generates a temporary public/private key pair.

What might be a workaround for using a RULE host as a DNS server on a Swinburne PC?

Use a browser add-on that simulates DNS functionality.

What is needed from the previous labs to create a self-signed certificate?

Both the generated private key file and the signed certificate

What is the correct command to restart the DNS server after making configuration changes?

/usr/local/etc/rc.d/named restart

Which algorithm is adapted for establishing an encrypted channel using key pairs?

Diffie-Hellman algorithm

Which configuration files need to be modified for the web server?

httpd.conf and httpd-vhosts.conf

What should be done after modifying configuration files for the web server?

Restart the web server

In the httpd-vhosts.conf file, what aspects need to be changed from rule201 to ruleXX?

All instances of rule201

What is the purpose of the ErrorLog in the web server configuration?

To log error messages for troubleshooting

What IP address should all five names resolve to after making the DNS changes?

136.186.230.XX

What does the CustomLog track in the web server configuration?

Successful access attempts to the web server

What is the first step to take when updating the DNS configuration?

Change the PTR value to ruleXX.tne30024.

Where should the site name be encoded in a modern SSL certificate?

Both the commonName and subjectAltName fields

What does the browser TLS implementation check before allowing a connection?

The subjectAltName matches the name of the server

What is the recommended form of the DNS entry in the subjectAltName field for a self-signed certificate?

selfsigned.tne30024

What is a critical security practice regarding the installation of private keys?

Never install the private key in the directory that hosts the actual website

What is the purpose of the Apache SSL module?

To provide all https:// functionality

In which file must the Apache web server be configured to enable SSL?

/usr/local/etc/apache24/httpd.conf

What must be done after enabling the SSL module for the selfsigned.tne30024 website?

Reconfigure the web server settings in httpd-vhosts.conf

What is best practice for storing the certificate on the web server?

Host the certificate in another directory from the website

What is the first change that needs to be made regarding Apache's configuration?

Configure Apache to accept connections on port 443

What must be included in the VirtualHost block to enable HTTPS?

SSL certificate and private key information

After making the necessary changes to the configuration, what is the next step?

Restart the Apache Server

What does a browser show when visiting a site with a self-signed certificate?

Untrusted certificate warning

What should you expect to see in the browser if the connection is correctly set up but the certificate is untrusted?

A red broken padlock icon

What is the function of the DocumentRoot in a VirtualHost configuration?

Specifies the directory for website files

Why is it necessary to accept the risk when visiting a site with a self-signed certificate?

To verify the site is authentic despite the untrusted certificate

What should be done before confirming encrypted communication using Wireshark?

Reload the web page

Study Notes

Lab 4 Modifying existing HTTP Website to use HTTPS and encryption

• The goal of this lab is to modify an existing HTTP website to use HTTPS and encrypt all communications.
• The lab uses a self-signed certificate to secure the website.
• HTTPS utilizes TLS as the communication protocol.

HTTPS Communication

• TLS ensures the client is communicating with an authorized entity.
• TLS encrypts communication to prevent unauthorized access.

Server & Client Authentication

• The client does not authenticate itself to the server.
• Client authentication is optional and can be implemented using username/password after the encrypted channel is established.
• When using HTTPS, any client can connect to the server.

Preparation

• The lab uses four websites hosted on a rule host.
• You need to customize the DNS and web server configuration with your rule host number.
• Updating the DNS server and web server configurations requires restarting the respective services.

DNS Config

• Update the DNS configuration files by changing the rule host number (XX) in the files.
• Confirm the DNS configuration changes by performing a DNS lookup on all five names.
• All five names should resolve to the same IP address.

Web Server Config

• Modify the web server configuration files to reflect your rule host number.
• Update the ServerName, ServerAlias, ErrorLog, and CustomLog fields within the VirtualHost block to reflect the corresponding rule host.
• Restart the web server after making changes to the configuration.

Testing Web Server

• Verify all four web sites are accessible by browsing to their URLs.
• You can use either your own device configured with your rule host as a DNS server, or modify your system's hosts file.

Methodology

• Convert https://selfsigned.tne30024 to a HTTPS website protected with a self-signed certificate.
• Verify encryption using Wireshark.

Certificate Creation

• Generate a self-signed certificate and corresponding private key.
• Include the website URL in both the commonName and subjectAltName fields of the certificate.
• Set the subjectAltName field to DNS:selfsigned.tne30024.

Installing the Certificate and Private Key

• Copy or install the certificate and private key files on the rule host in a directory with general access permissions.
• Store the private key in a directory that is not accessible by the browser, to ensure its security.
• Consider hosting the certificate in a dedicated folder for better organization.

Modifying the Web Site

• Enable the Apache SSL module in the /usr/local/etc/apache24/httpd.conf file.
• Reconfigure the selfsigned.tne30024 website in the /usr/local/etc/apache24/extra/httpd-vhosts.conf file.
• Configure the selfsigned.tne30024 VirtualHost block to accept connections on port 443.
• Specify the location of the certificate and private key in the VirtualHost block.

Testing the Solution

• Browse to the new HTTPS website (https://selfsigned.tne30024).
• Accept the security risk of an untrusted certificate and verify the website is displayed with a red broken padlock.
• Review the certificate details to confirm its validity.
• Reload the website while Wireshark is running to verify encrypted communication between the browser and your rule host.
• Use the automated marking script at http://ruleprimary1.caia.swin.edu.au/tne30024.php for evaluation if unable to use a browser.

Description

This lab focuses on modifying an existing HTTP website to implement HTTPS and encrypt all communications with a self-signed certificate. Students will learn about the TLS protocol, its role in server-client authentication, and the necessary preparations for updating DNS and web server configurations.