46

I'm working for a business that deals with web application development, and I am the "Security Expert". I recently implemented HTTPS in an application with Let's Encrypt, and my boss is asking me to prove that HTTPS really encrypts the information.

How can I do that?

A. Darwin
  • 3,562
  • 2
  • 15
  • 26
NTHINGs
  • 569
  • 4
  • 6
  • 9
    https://www.ssllabs.com/ssltest/ or show the certificate in action with the green lock icon in your browser. Those are two ways off the top of my head. EDIT: another method would be to sniff your traffic with something like wireshark, show him the encrypted packets. @crovers beat me to it – INV3NT3D Oct 05 '16 at 19:10
  • 37
    If those don't satisfy, you can always use WireShark to show that nothing there is in plaintext. – crovers Oct 05 '16 at 19:13
  • i tried wireshark but only TCP packages appear – NTHINGs Oct 05 '16 at 19:15
  • 4
    What were you hoping for? HTTPS runs over TCP, very rarely does it use a different protocol. – INV3NT3D Oct 05 '16 at 19:16
  • sorry to newbie here, and how should the encrypted package should look like in wireshark – NTHINGs Oct 05 '16 at 19:17
  • 10
    Follow the TCP stream and see if any of the data appears in plaintext. [Here's a link](https://ask.wireshark.org/questions/14802/how-to-confirm-encrypted-data-using-wireshark) – INV3NT3D Oct 05 '16 at 19:20
  • 12
    @NTHINGs find a site that supports both http and https. Compare in wireshark browsing to it in both modes. You'll see the difference. – Z.T. Oct 05 '16 at 19:41
  • 4
    Also don't forget to shutdown HTTP on port 80 and implement the [Http Strict Transport Security](https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet) header so a downgrade attack cannot be performed. – ARau Oct 05 '16 at 22:52
  • OpenSSL and GnuTLs are free software, surely you just read the source and verify that it works and show it to your boss? :) That's the entire selling point of free software, isn't it? That you can read the source and verify it's not going wrong. And everyone does. Except you. ( /s ) – TessellatingHeckler Oct 05 '16 at 23:12
  • 23
    I think only your boss can answer that question -- if he doesn't trust the browser's indication that the session is secure, what proof is he looking for? Does he want to see a packet capture? How could you prove to him that captured packets are encrypted and not just obscured (or compressed)? Does he want some other proof? Maybe an explanation of how TLS works and what the browser indications mean? – Johnny Oct 05 '16 at 23:24
  • I've edited the question title so there is less of a difference between the title and the question being asked in the body. The previous title was somewhat vague and ambiguous in my opinion. I felt the original title felt more like "how do I configure HTTPS so it works on all clients", not "how do I prove that HTTPS works". – Nzall Oct 06 '16 at 11:53
  • 1
    Can you provide more detail on what the boss is trying to prove? Is he trying to see if industry standard SSL is being applied, or is he checking that sensitive information isn't being sent over plaintext, or is he paranoid that the encryption you applied (and can see in the browser) isn't secure? – Cody P Oct 06 '16 at 17:27
  • Whichever test you end up doing, make sure to do the same test with HTTP and compare results. – user253751 Oct 06 '16 at 19:54
  • It's worth noting that HTTPS is not always encrypted, e.g. if the server and client support the [null protocol](http://security.stackexchange.com/questions/39315/checking-ssl-tls-servers-for-null-encryption-support). You need to disable that to thwart [downgrade attacks](https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack). See [OWASP A5](https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration) and its [remediation](https://www.owasp.org/index.php/Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)). – John Wu Oct 06 '16 at 23:12
  • Show him this question. Maybe he'll actually learn something. Also, please, for the love of all holy, tell us that this company's sites hasn't been passing user credentials over the internet in plain text before now. If it has and no one even knew... I would be inclined to start working on my resume. – jpmc26 Oct 07 '16 at 21:58

6 Answers6

63

My boss is asking me to prove that HTTPS really encrypts the information. How can I do that?

On a basic level, you can use a packet inspector or simple port forwarding proxy. Perhaps Wireshark will inspect the packets easily enough.

You should quickly be able to find that the HTTP traffic is plain text, while the HTTPS is binary gibberish. (with the exception of the hostname)

However, this only proves that the connection is obfuscated. It does not prove encryption or security. Specifically it does nothing to show immunity to MiTM.

Fortunately, the browser does all this for you. If a modern browser tries to connect to an HTTPS web page, it will verify the following:

  • Strong enough hash algorithms for the certificates involved.
  • Strong enough encryption algorithms. (i.e. it is actually encrypted)
  • Certificate chain issued by trusted Certificate Authority(s) (i.e. CA who verifies domain ownership prior to issuing their certificates)
  • Non-expiry of the certificates.
  • Matching hash values means there will be no MiTM.

While your boss may like to see the wireshark gibberish comparing HTTP to HTTPS, a stronger test is to quite simply visit the HTTPS site with a modern browser.

Be sure the browser has not been pre-configured to ignore the warning. (i.e. test from multiple computers and smartphones)

If you plan to continue HTTPS permanently (which you should), a wise precaution would be to force redirect all HTTP visits to the HTTPS site, because you cannot guarantee that all visitors will include the https:// prefix when visiting your site.

Community
  • 1
700 Software
  • 13,807
  • 3
  • 52
  • 82
  • 19
    A demonstration in WireShark usually sufficies for someone silly enough to ask for a demonstration that it is protected. – Joshua Oct 06 '16 at 16:27
  • 9
    I don't think asking for proof is *at all* silly. If the OP was accidentally actually using HTTP, everything would work just fine - it just wouldn't be secure! – Martin Bonner supports Monica Oct 07 '16 at 13:20
  • 2
    @Joshua, it's not silly at all. If a manager does not have confidence in his expert, and does not have resources to hire and expert he has the confidence in, this is the next best. By asking your subordinate to prove you incite a thinking process, another round of critical thinking. It is a very smart question to ask. – Andrew Savinykh Oct 07 '16 at 23:26
  • 3
    @AndrewSavinykh: The proof is actually no good. You can't tell good encryption from bad by looking. – Joshua Oct 08 '16 at 01:36
  • 2
    @Joshua - I think you are missing my point – Andrew Savinykh Oct 08 '16 at 10:05
  • 3
    You prove a roof leaks by either waiting for rain or getting out the hose. If neither you nor your boss has any idea how to exploit bad or disabled encryption then all you're doing is waiting for rain. – candied_orange Oct 08 '16 at 18:07
38

These are few ways (not comprehensive) to prove that your application is encrypting information:

  1. SSL Labs has a web application to test your web application's SSL implementation

OR

  1. In your web browser, sites secured with HTTPS will show a green lock next to the URL like so: a picture that shows the green lock icon next to the URL for google.ca

If you need more details, or better proof that your certificate is working other than the green lock, click that lock, show details, and you'll see something like this (in Chrome for this example):

details that describe the certificate is encrypting your connection and working properly

This will give you all the dirty little details you need to verify that your certificate is working as expected.

OR

  1. Fire up Wireshark, or a packet sniffer/analyzer of your choice, then run some data through your application that should be encrypted (login, submit a form etc...). Find the packet, follow the TCP stream, and check to ensure nothing is transmitted in plain-text.
INV3NT3D
  • 3,977
  • 3
  • 14
  • 25
  • 2
    Well... for a paranoid person all 3 methods here described *at best* show circumstantial evidence, but cannot be called a proof. The only way to proof it is to capture all the packets and **manually** verifying that the TLS protocol is effectively done, the data is encrypted using the correct algorithm and key (which you can only prove by 1) statistical tests and 2) decrypt it using the corresponding decryption algorithm &key) etc. and there is no simple&fast way to do this especially for someone who has no idea about security. – Bakuriu Oct 06 '16 at 11:50
  • @Bakuriu, I agree completely. This was intended to show simple methods of "proving" encryption to a, possibly, not so technically inclined person. I actually prefer George Bailey's answer over my own. Good points though. – INV3NT3D Oct 06 '16 at 12:20
  • 1
    @Bakuriu All that goes out the window if you don't trust the browser, anyway. – jpmc26 Oct 07 '16 at 22:04
15

SSLlabs is a great tool for analysing an HTTPS website. But....

  • It does not prove that you've closed off the non-ssl parts of the site
  • I get the impression that your boss won't understand what it is telling you about your site
  • From your comments about wireshark you seem to be struggling a bit to understand what's going on yourself

You say that you've been asked to prove that "HTTPS really encrypts the information". Perhaps someone has chosen their words poorly, but taken at face value, you say you are being asked to prove that the technology the world relies on to secure e-commerce really implements its most fundamental requirement. I think someone might have noticed by now if it didn't.

(I should point out that it is technicaly possible to configure https to use a null cypher with some clients and servers but it is extremely difficult to do this by design. You could not do it by accident)

Assuming your boss didn't really mean that, you are being asked to convince him that the work you've done is valid. Most browsers will show you the encryption algorithms being used to access a site.

If your boss wants something different / more, then we don't know what will convince him. You will need to ask him for a more specific requirement and details of what he/she would consider acceptable proof.

Community
  • 1
symcbean
  • 18,278
  • 39
  • 73
  • 4
    I should also add that its very poor management practice to ask the implementor of something to prove it works whether that's a security, functional, performance, capacity or usability feature. – symcbean Oct 06 '16 at 12:14
  • 1
    "I think someone might have noticed by now if it didn't." The world has. Many times. Old versions of SSL/TLS have been deprecated. Bugs in SSL/TLS libraries have been fixed. Key strength requirements have been increased. It's an imperfect system, sure, but it's an imperfect system the world is keeping a very close eye on and investing millions (billions?) of dollars every year to make it as good as possible. No small company with a boss who doesn't even know how pervasive HTTPS is will come up with a better alternative. +1 – jpmc26 Oct 07 '16 at 22:09
2

Contract with a professional IT security expert and cryptography expert with a good reputation. Allow them to capture traffic on your network and ask them to try to find out what messages are being sent to and from the site.

If they fail, you will have established that traffic is effectively encrypted. Of course this is not likely to be cheap.

bdsl
  • 595
  • 3
  • 7
  • Then it's a good job that anyone vaguely technical can use Wireshark to examine the data themselves (as explained in earlier answers) - no need to pay anyone. –  Oct 06 '16 at 16:08
  • It depends what level of proof the boss wants and is willing to pay for. The boss may not be satisfied by the testimony of someone 'vaguely technical'. If the boss looks at the data themselves they probably wouldn't be able to distinguish between strong encryption and a scheme that just replaces all ones with zeros and vice versa. – bdsl Oct 06 '16 at 21:53
  • It they fail it may be due to the fact that they are incompetent or lazy or inadequately resourced or budgeted or didn't actually do anything. This is not sufficient. – user207421 Oct 06 '16 at 23:53
  • 2
    No; this is a viable answer. Propose to seek out an expert and have him/her make a costly demonstration. Juxtapose that with a Wireshark demonstration. If the boss chooses the expert, you will know that he doesn't trust his own people to be the experts. It will justify moving on when the economy is right. – Rob Perkins Oct 07 '16 at 04:20
  • 1
    @EJP that's why it should be someone with a good reputation. If they have a history of being incompetent or lazy wouldn't have that reputation, and they are likely to want to preserve the reputation. If they are inadequately resourced the should want to make that clear to show that they are not being incompetent or lazy. – bdsl Oct 09 '16 at 13:30
1

If you click on the lock icon in Firefox and click More Info, you will see something like this:

Connection encrypted with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 256 bit keys

Which clearly states that the connection is encrypted and which protocols were used.

Luc
  • 31,973
  • 8
  • 71
  • 135
-3

Tell your boss, "Amazon.com uses it."

They are old enough and experienced enough at e-commerce and the Web to know what works and what doesn't. If they consider HTTPS sufficient to protect your credit card, then that should be proof enough.

When I did web programming, many moons ago, we taught the abbreviation WADI — Would Amazon Do It. If someone said "hey, our website should do this!", your answer would be "Does Amazon do that? If not, then we shouldn't either."

Greenstone Walker
  • 231
  • 1
  • 3
  • 10
    I'm fairly confident that Amazon does NOT use Let's Encrypt .... None of this answer is helpful in 'proving' that the web app properly and uniformly utilises the encrypted channel. The OP question is particularly important if you are off-loading the TLS to a load balancer or other border device. – schroeder Oct 06 '16 at 06:58
  • The subtext I'm getting from the answer is that the boss is non-technical. In that case, a technical proof won't be understood, so you look for non-technical proofs. – Greenstone Walker Oct 06 '16 at 09:44
  • 4
    @GreenstoneWalker don't think the boss is looking for a technical proof, but there are two questions here, 1) Did Let's Encrypt apply modern, industry standard SSL encryption to the site, and 2) Is that encryption secure? Your answer only addresses the latter, and doesn't address the boss's concern that someone missed something in set-up and encryption never happened. – Cody P Oct 06 '16 at 17:25
  • 2
    @GreenstoneWalker lying to your boss isn't a good way to earn his trust in your service. – d0nut Oct 07 '16 at 16:26