Poor man’s HTTPS

If you are thinking of using HTTPS to communicate data or encrypting your data in your apps, please read this post first

What do you mean I have to be “properly authorized” to use encryption in my apps?

We were looking at adding some interaction between our mobile apps and our web server and wanted to use HTTPS for this so we’d have a layer of security on top of the communications. I had never setup HTTPS on a web server before, but knew a decent amount of what would have to go into it. So I started looking around cPanel and found the following icon under “Security”

SSL/TSL

After clicking this icon, we are taken to an area where we need to do three things. First is to generate a private key, the second is to create a Certificate Signing Request (CSR) and lastly, place a certificate on our server. Luckily the interface in this version of cPanel (v11.44.1 (build 18)) makes it pretty easy to do.

 

Screen Shot 2014-09-09 at 8.38.48 PM

Screen Shot 2014-09-09 at 8.38.18 PMAfter clicking on the “SSL/TSL” icon, Click on the link here to go to the next screen to generate a private key.  I just used our company name in the description. Once the private key is generated, make sure to save it to a file on your computer.

 

 

 

 

 

Screen Shot 2014-09-09 at 8.38.55 PMScreen Shot 2014-09-09 at 8.39.24 PM

For a Certificate Signing Request
(CSR), go back to the previous screen and click on the link to generate a CSR, select the description you chose in the previous step in the drop down box and fill out the rest of the information and generate your CSR. Again, save it to a text file.

 

Screen Shot 2014-09-09 at 8.39.01 PMScreen Shot 2014-09-09 at 8.40.05 PM

Once this is done, go back to the previous screen again and manage the certificates on your web server. Install a self signed certificate by filling out the information and selecting the key you want to use. Now, a self signed certificate will allow you to use HTTPS on your site BUT you’ll be greeted with an ugly warning message by the browser that the site could not be verified so the certificate could not be trusted. We’d need to send off the CSR we created in the previous step to a Certificate Authority (CA) to receive a verified certificate to remove that warning from the browser.

Well, we only need HTTPS for communications between our app and our web server; so a self signed certificate should be good enough since the user won’t be interacting directly with our website across HTTPS. I did a quick search to see how much a certificate would cost, they vary wildly but seeing stuff for $175/yr. Why spend money on something we don’t need immediately? But, we do have everything we need to get a valid certificate if we decide to use HTTPS for direct user interactions with our website. That is why I call this the poor man’s HTTPS.

Updated:

So I’ve now come across a site that offers free SSL certificates. WOO HOO! I’ve seen mixed reviews, some people swear by them, others don’t seem to like them very much. But I thought I’d give it a shot. The site is https://www.startssl.com. Since I already created my certificate with them, I can only go through the steps again so much.  But it should be enough to figure out. What got me looking at this again was since we are communicating data between our website and our app, the Unity Web Player relies on the browser and JavaScript to do that (More on that one in a later post). Since our web server was only using a self signed certificate for HTTPS, the browser was blocking/complaining about the JavaScript AJAX calls to our web server when running the app using the Unity Web Player. This makes sense, but it didn’t occur to me during development.

Login Page

Head on over to https://www.startssl.com/?app=12. Just click the “Sign-up” button to get started. Please note the first time I tried this, their site was having some overloading issues…I just patiently waited a bit and was able to get on after a while.

Sign Up

There really isn’t too much information here to fill out, but please READ CAREFULLY and take your time to make sure you’ve filled the information out properly. The reason I say this is because there appears to be a price on revoking an SSL cert. Once you’ve finish the sign up process, they’ll send you an email to confirm your account.

homeOnce you have verified your account, StartSSL asks to install a certificate in your browser so you can log in. So if you go to https://www.startssl.com, you should see a page similar to the following. If not, just click the “Authenticate” button.

 

manage-certsIt would be a good idea to back up this certificate they just gave you. In Chrome, you can do it this way: Go to “Settings”, then click the “Advanced” link at the bottom. Find HTTP/SSL “Manage Certificates” and click on it. Find the one for StartSSL and export it and keep it somewhere. This will allow you to reimport the certificate at a later time if you need to.

Validate Domain Name - Step 1

Now we need to let them know that we own the domain we are attempting to get a class 1 SSL cert for.  I don’t know exactly the differences between all the classes of SSL certs, but we only need a class 1 for our purpose. I do know that a Class 1 doesn’t support wildcard domains but it will support a top domain name and a sub-domain…in fact it asks you to specify a sub-domain later in the process. So, once you’ve navigated back to https://www.startssl.com, click on the “Validation Wizard” tab and select “Domain Name Validation” from the drop down box.

Validate Domain Name - Step 2

Just put in your domain name here, pretty easy really.

 

 

Validate Domain Name - Step 3

 

It takes a couple of seconds, but a list of email addresses associated with the domain name pop up. You have to have control over one of those email addresses so they can send you a link for domain verification. Just pick one from the list that you are in control of and click “Continue”. Again, I had some issues with this part of the process. It kept telling me it could not verify the email address.  So again, I waited and after a bit it worked. Once you get the email, follow the directions to verify that you own the domain.

Create SSL Cert - Step 1

Now we are able to create an SSL cert for our domain! Click on the “Certificates Wizard” tab at the top and select “Web Server SSL/TLS Certificate” from the drop down box.

 

Create SSL Cert - Step 2

 

From here we can create the keys we need to create our certificate…but we already did that earlier, so click the “Skip” button.Create SSL Cert - Step 3

 

 

Go and find the Certificate Signing Request (CSR) that you saved earlier…you DID save it, right? Simply open it up in a text editor, copy the contents and pate them into the provided box.  Make sure you get the header and footer! Continue following the directions to finish up. After a while (I think I waited about an hour), you’ll receive an email that says you now have a certificate.

 

Retrieve CertClick on the “Tool Box” tab there at the top and select “Retrieve Certificate” from the list of options on the left. After selecting the certificate, (it should already be selected) click the “Continue” button to reveal the certificate.  Copy and paste this info into a plain text file. Once you have this, go back to your web server and install the certificate just like you did for your self signed certificate. Then just remove your self signed certificate.  One of the things I noticed was that even though https://www.nikywilliams.com was covered under the SSL cert, https://www.nikywilliams.com was not. At the moment, this isn’t much of an issue since we don’t have any front facing websites that need HTTPS. Ideally, you’d want both covered under your certificate. Our app is the only thing accessing HTTPS and we can make sure https://www.nikywilliams.com is specified in the code. I’ve seen what looks like a few ways around this. 1) You’d have to get at least a Class 2 certificate so that you can secure both with and without the “www” prefix. 2) Find a way to redirect all https://www.nikywilliams.com requests to https://www.nikywilliams.com. I haven’t verified either way since it isn’t critical to what we are trying to accomplish. In any case, this is still a poor man’s HTTPS since we haven’t spent a dime!