In this chapter, we will talk about different aspects of security. You will learn about validation of user data input and security best practices in our web application. This chapter covers the following topics:
- Web security
- Securing a server
- Securing a client
- Security best practices
Crime is a disease that plagues the minds of many individuals. Hackers are interested in everything from personal mailbox credentials to bank account details. The responsibility of maintaining security lies with web developers. Developers should use HTTPS to access web pages and resources with sensitive data.
Secure Socket Layer (SSL) is one of the most common protocols in use on the Internet today. SSL is capable of securing any transmission over TCP. The Transport Layer Security (TLS) protocol is a successor of SSL and is based on the older SSL specifications. TLS Version 1.0 was defined for the first time in January 1999 as an upgrade of SSL Version 3.0. Both of them are based on asymmetric keys to encrypt data and digital certificates for authentication through an untrusted third party. We use TLS in a client-server model, but the client usually does not provide a certificate. Instead, the server is responsible for its own authentication through signed certificates and encryption via public and private keys.
There are several versions of protocols used in web browsing, e-mail, internet faxing, instant messaging, and Voice over IP (VoIP). TLS has the following benefits:
- It encrypts information
- It provides authentication
- It accepts credit card payments on websites
- It protects against phishing
- It adds power to brands and improves customer trust
Information submitted on the Internet passes through more than one node in the network before reaching the final destination, so it can be obtained by a third party. A TLS certificate inserts random characters into the original information to change it beyond recognition so that only the proper encryption key can help decrypt it. Server certification is another type of protection issued when the server's owner obtains a TLS certificate. This certificate is available to the client to validate that the TLS certificate is up to date and the client's information is being delivered to the right place. Online businesses that use credit card payments must be in compliance with the Payment Card Industry standards. This means that the server needs a TLS certificate with the proper encryption of at least 128 bits. Online businesses often offer site seals and other brand images to indicate that a trusted encryption is in use. This information gives customers an added level of assurance and creates trust between the customer and the business.
It is really complicated to decide at which level we can address the TLS protocol in the TCP/IP stack. The TLS security protocol describes how algorithms should be used and how the TLS certificate establishes a secure connection. To get a certificate, you must create a Certificate Signing Request (CSR) on your server. This process creates a pair of private and public keys on your server. Then, you must send the CSR datafile that contains the public key to a Certified Authority (CA) in order to obtain the TLS certificate. The CA creates a data structure from the CSR file to match a private key in the future. The CA never sees the private key and it can't be compromised. Once you receive the TLS certificate, you can install it on the server. Dart uses the Network Security Services (NSS) library of Mozilla to handle TLS. We need to use certutil, a certificate database tool from NSS Security Tools, to manipulate the certificate database. You can obtain the source code and quickly build certutil for your platform, but I have installed the following prebuilt version of the program on my Ubuntu workstation:
sudo apt-get install libnss3-tools
The process of installation is successful and you can now check the result by running the program with the following command:
certutil
On receiving the request, the program returns information on how to use it and gives a list of available command options, as follows:
certutil - Utility to manipulate NSS certificate databases Usage: certutil <command> -d <database-directory> <options> …
For now, we want to create a command-line application project with the name server in Dart Editor. Then, open the terminal and go into the bin directory of our project.
Follow the next steps to create a self-signed CA certificate for development and testing purposes inside the bin directory:
- Create an NSS database in the
pkcertfolder. The folder name should be the name of the NSS database used on our server:mkdir -p pkcert certutil -N -d sql:/home/akserg/Project/server/bin/pkcert
The
-Ncommand option creates a new certificate and key databases. Specify the prefixsqlin front of the full path to the database folder as Dart uses the new SQLite database (cert9.db,key4.db, andpkcs11.txt) rather than a legacy security database (cert8.db,key3.db, andsecmod.db). Thecertutilcommand will ask us to enter a password that will be used to encrypt our keys. Let's set the password tochangeit. - Create a self-signed CA certificate with the following command:
certutil -S -s "CN=CA Issuer" -n CACert -x -t "C,C,C" -v 120 -m 1234 -d sql:/home/akserg/Project/server/bin/pkcertThe
–Scommand option creates an individual certificate and adds it to a certificate database. The text after-soption provides a subject that identifies an owner of certificate. The–xoption tells thecertutilcommand that the created certificate is self-signed. The–voption sets the number of months for which a new certificate will be valid. The–moption sets a unique serial number to the certificate being created. When we run thecertutilcommand, it asks us to press the keys on the keyboard to create a random seed that will be used in the creation of our key. - We now have a CA certificate and need to generate the key and certificate signing request. Let's do that with the following command:
certutil -R -s "CN=localhost, O=Mastering Dart, L=Cape Town, ST=WC, C=CA" -p "+27 21 1234567" -o mycert.req -d sql:/home/akserg/Project/server/bin/pkcertThe
–Rcommand option creates a certificate request file that can be submitted to a CA to be processed into a finished certificate. We specify the subject to identify the certificate owner; in this case, it's me. Extra information such as your telephone number can be an input as well. Output defaults to the output file marked with the–ooption. When we run thecertutilcommand, it asks for a password, and we can generate the key with a random seed again. - Now, we can see the list of keys in the database with the following command:
certutil -K -d sql:/home/akserg/Project/server/bin/pkcertThe result will be as follows:
< 0> rsa e22c881d9eb382ea69257410cf464dfedcd49354 NSS Certificate DB:CACert < 1> rsa b909266e0d5a14523158bfc7903ea9460fad2da6 (orphan)
- We need to sign in the key with the following command:
certutil -C -m 2345 -i mycert.req -o mycert.crt -c CACert -d sql:/home/akserg/Project/server/bin/pkcert - Finally, it's time to add a certificate to the database with the following command:
certutil -A -n localhost_cert -t "p,p,p" -i mycert.crt -d sql:/home/akserg/Project/server/bin/pkcertThe name of our certificate is
localhost_certafter the–noption. - You can see the information about a specific certificate with the following command:
certutil -L -n localhost_cert -d sql:/home/akserg/Project/server/bin/pkcertThe result is as follows:
Certificate: Data: Version: 3 (0x2) Serial Number: 2345 (0x929) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=CA Issuer" Validity: Not Before: Thu Aug 21 17:15:05 2014 Not After : Fri Nov 21 17:15:05 2014 Subject: "CN=Sergey Akopkokhyants,O=Mastering Dart,L=Cape Town,ST=WC, C=CA" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption …
- Alternatively, you can validate a specific certificate with the following command:
certutil -V -n localhost_cert -b 9803201212Z -u SR -e -l -d sql:/home/akserg/Project/server/bin/pkcert The result is as follows: localhost_cert : Peer's Certificate has expired. localhost_cert : Peer's certificate has been marked as not trusted by the user.
Now that we are done with our self-signed certificate, it's time to go back to our server code and secure it.