SSL - Just to clear something up

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
mikeeeeeeey
Forum Contributor
Posts: 130
Joined: Mon Jul 03, 2006 4:17 am
Location: Huddersfield, UK

SSL - Just to clear something up

Post by mikeeeeeeey »

Hi guys, it's been a while!

I'm just trying to cement all my knowledge and something which has been bothering me for a while is SSL. I know what it is, but I've never taken advantage of it as I don't understand how to implement it.

If I were to hazard a guess at how to make use of it, you first have to buy the certificate, then enable it on your control panel or wherever.

Then you make sure you set your form action to the right page except adding the https://... into the address and you have the extra layer on all your superglobals?

Is this right? Or am I totally wrong? It would be great if someone could just briefly detail this for me as searching around has confused me further!

Thanks for your help, as always :D
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: SSL - Just to clear something up

Post by kaisellgren »

Make sure your host supports Private SSL.
Buy a certificate.
Depending on the hosting environment, use a software on the host to generate a Certificate Signing Request file.
Give it to the SSL provider and he gives you two files .crt and .ca-bundle.
Again, depending on the hosting environment, move these files to somewhere like '/etc/ssl/ssl.crt/'.
Make sure the HTML form is loaded with HTTPS. This means, when the client connects, before you output the form, make sure the $_SERVER['SERVER_PORT'] == "443", which is the port for SSL connection.
$_GET, $_POST, $_COOKIES are are protected (by which I mean no one else knows them) if the SERVER_PORT equals to 443.
User avatar
mikeeeeeeey
Forum Contributor
Posts: 130
Joined: Mon Jul 03, 2006 4:17 am
Location: Huddersfield, UK

Re: SSL - Just to clear something up

Post by mikeeeeeeey »

Thanks for your response. I have a greater understanding now, which is awesome! A million kudos is on its way.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: SSL - Just to clear something up

Post by Apollo »

Another question about SSL certificates: recently a hosting provider claimed I needed a unique IP for my site to support SSL (I already have a certificate). But I fail to see why. Does anyone know if they're right, and why?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: SSL - Just to clear something up

Post by kaisellgren »

Apollo wrote:Another question about SSL certificates: recently a hosting provider claimed I needed a unique IP for my site to support SSL (I already have a certificate). But I fail to see why. Does anyone know if they're right, and why?
For a private SSL certificate you need an unique IP. Shared SSLs, however, work with a same shared IP address.
If you are using a shared SSL certificate, then you can't have your "own domain SSL'ed", for example, you must access your site like https://mysite.hostgator.com/.
If you are using a private SSL certificate, then you can access your site like https://mysite.com/.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: SSL - Just to clear something up

Post by Apollo »

kaisellgren wrote:
Apollo wrote:Another question about SSL certificates: recently a hosting provider claimed I needed a unique IP for my site to support SSL (I already have a certificate). But I fail to see why. Does anyone know if they're right, and why?
For a private SSL certificate you need an unique IP. Shared SSLs, however, work with a same shared IP address.
If you are using a shared SSL certificate, then you can't have your "own domain SSL'ed", for example, you must access your site like https://mysite.hostgator.com/.
If you are using a private SSL certificate, then you can access your site like https://mysite.com/.
Yes, I definitely use a private SSL (i.e. for https://www.mysite.com).

Is there a technical reason as for why this requires a unique IP?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: SSL - Just to clear something up

Post by kaisellgren »

Apollo wrote:
kaisellgren wrote:
Apollo wrote:Another question about SSL certificates: recently a hosting provider claimed I needed a unique IP for my site to support SSL (I already have a certificate). But I fail to see why. Does anyone know if they're right, and why?
For a private SSL certificate you need an unique IP. Shared SSLs, however, work with a same shared IP address.
If you are using a shared SSL certificate, then you can't have your "own domain SSL'ed", for example, you must access your site like https://mysite.hostgator.com/.
If you are using a private SSL certificate, then you can access your site like https://mysite.com/.
Yes, I definitely use a private SSL (i.e. for https://www.mysite.com).

Is there a technical reason as for why this requires a unique IP?
A private SSL certificate requires an unique IP. The name itself "Private" tells it's not used by more than one website/IP. No way you can get around this, because it's "hard-coded" inside SSL. That's why Shared SSL certificates were made -> if you want to have multiple sites encrypted.

Think about yourself, if I were to buy a private SSL certificate, why would this private certificate made for me work in two different IPs?
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: SSL - Just to clear something up

Post by Apollo »

Perhaps I'm missing something, but I thought the point of an SSL certificate is to prove that a certain domain name is authentic and verified, not the ip? (nor the particular webserver it happens to be running on, regardless of whether there are other sites/domains on that same server/IP as well, which may or may not have their own certificates)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: SSL - Just to clear something up

Post by kaisellgren »

Apollo wrote:Perhaps I'm missing something, but I thought the point of an SSL certificate is to prove that a certain domain name is authentic and verified, not the ip? (nor the particular webserver it happens to be running on, regardless of whether there are other sites/domains on that same server/IP as well, which may or may not have their own certificates)
Since the SSL needs to be tied to a specific IP address you need the dedicated IP to allow it to work. Without the dedicated IP someone else sharing the same IP address could borrow your security certificate.

The infrastructure of SSL therefore requires an unique IP for private SSL certificates - because they are private, not shared. Otherwise the infrastructure would be flawed.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: SSL - Just to clear something up

Post by Apollo »

kaisellgren wrote:Since the SSL needs to be tied to a specific IP address you need the dedicated IP to allow it to work. Without the dedicated IP someone else sharing the same IP address could borrow your security certificate.

The infrastructure of SSL therefore requires an unique IP for private SSL certificates - because they are private, not shared. Otherwise the infrastructure would be flawed.
Isn't this just an implementation detail at the webserver's end? I.e. if the webserver would simply not allow one site to access another site's certificate (which should be perfectly possible, just like I currently cannot access other site's files which are hosted on the same shared server), is there still a problem?

Besides, if another domain is hosted on the same server/IP, even if they could access my certificate - how is that going to help them, considering that the certificate can only authenticate my domain, not theirs?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: SSL - Just to clear something up

Post by kaisellgren »

Apollo wrote:
kaisellgren wrote:Since the SSL needs to be tied to a specific IP address you need the dedicated IP to allow it to work. Without the dedicated IP someone else sharing the same IP address could borrow your security certificate.

The infrastructure of SSL therefore requires an unique IP for private SSL certificates - because they are private, not shared. Otherwise the infrastructure would be flawed.
Isn't this just an implementation detail at the webserver's end? I.e. if the webserver would simply not allow one site to access another site's certificate (which should be perfectly possible, just like I currently cannot access other site's files which are hosted on the same shared server), is there still a problem?

Besides, if another domain is hosted on the same server/IP, even if they could access my certificate - how is that going to help them, considering that the certificate can only authenticate my domain, not theirs?
What ever you do as a web hosting company, you can not change the way SSL works. Try generating a CSR and get an issuer to verify it and then switch the server IP or switch your domain name, either way you have to regenerate your CSR and certificate. So no, you can not just try to "disable" access to a certificate on your server from other users of the same server.

And by the way, Defense in Depth is also "used" in SSL.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: SSL - Just to clear something up

Post by kaisellgren »

I'm not sure anymore what do you want. If you want to have a private SSL certificate without having a dedicated IP for it, then you can forget it.

Prior to the private key generation the dedicated IP is needed. This is a technical fact of private key creation. It is also needed for the issuer, issuers can not trust you if you change your IP or domain name. At this point you need to regenerate your certificate. Back in the old days the certificate was tied into the very same domain name, so using a subdomain broke it completely. Even nowadays having a subdomain name can break it, but usually www -subdomain won't break anything. Not anymore. Also, SSL requires a dedicated IP, because name-based hosting does not support data encryption in HTTP requests. The fourth reason is Defense in Depth.

So I have now provided four answers for you why you must have this dedicated IP of yours for it to work. If you want to know how to avoid this, then I can not answer you, because you can not avoid it. You could make your own replacement for SSL. Use asymmetric encryption with Public key infrastructure and make sure you use digital signatures. The rest is up to you.
Last edited by kaisellgren on Sun Jan 18, 2009 8:14 am, edited 2 times in total.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: SSL - Just to clear something up

Post by Apollo »

Thanks for your replies, but I'm still unclear about this. (Sorry, just trying to get this crystal clear for myself - I really don't want to be a pain in the ass or something :))
kaisellgren wrote:I'm not sure anymore what do you want. If you want to have a private SSL certificate without having a dedicated IP for it, then you can forget it.
I'm aware of that, I have no illusions that I can break the rule - just want to understand why :)

Let's take a step back here - for all I know, we use https:// for two reasons:
1. Encryption (data protection), so we know nobody can be snoopin' in-between and peek at the data (or even change it, acting as a middle man).
2. Authentication (identity assurance), so we know that the company or people we're visiting are who they say they are.

If I understand correctly, the server has some private (internal) key, and sends a corresponding public key to the visitor. This is for purpose 1. For purpose 2, the identity that is bound to this key is verified and authenticated by a trusted, official issuer (e.g. Verisign and the likes).
kaisellgren wrote:What ever you do as a web hosting company, you can not change the way SSL works. Try generating a CSR and get an issuer to verify it and then switch the server IP or switch your domain name, either way you have to regenerate your CSR and certificate.
Does this mean that if I move to another hosting provider, I will need to purchase new certificates for all my sites?
Prior to the private key generation the dedicated IP is needed. This is a technical fact of private key creation. It is also needed for the issuer, issuers can not trust you if you change your IP or domain name.
If I remember correctly, I only specify a domain name when purchasing a certificate... Or is the IP enclosed in the CSR?
Also, SSL requires a dedicated IP, because name-based hosting does not support data encryption in HTTP requests.
How do you mean, name-based hosting? Shared servers which serve multiple domain names? How does that rule out the possibility of encrypted requests? Isn't a tunnel created for each connection, prior to exchanging keys?
The fourth reason is Defense in Depth.
How does that apply here, or how does this enforce the necessity of a dedicated IP?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: SSL - Just to clear something up

Post by kaisellgren »

Apollo wrote:1. Encryption (data protection), so we know nobody can be snoopin' in-between and peek at the data (or even change it, acting as a middle man).
You almost got it :). In reality, there can be man in the middle and he CAN change the content. Why couldn't he? But it does not matter much, since it's encrypted, the data becomes corrupted and the client/host notices it and requests again until the data is valid. For example, if the host expects HTTP response, changing one byte of the encrypted text equals to something very different and the host will ignore the response and send back a HTTP 400. So yes, if you are dealing with let's say PayPal website over a wireless network, it is possible that everytime you reload the PayPal page someone has modified it and you get corrupted data. Then the client notices he can not communicate with the server and tries again later or uses home network or something.
Apollo wrote:2. Authentication (identity assurance), so we know that the company or people we're visiting are who they say they are.
Private SSL certificates prove the identity of the site you are viewing, however, shared SSL certificates do not - because they are used for multiple sites. So they just protect communication. And yes, if you are giving your credit card, you should trust https://site.com more than https://site.host.com
Apollo wrote:If I understand correctly, the server has some private (internal) key, and sends a corresponding public key to the visitor. This is for purpose 1. For purpose 2, the identity that is bound to this key is verified and authenticated by a trusted, official issuer (e.g. Verisign and the likes).
Yea.
Apollo wrote:Does this mean that if I move to another hosting provider, I will need to purchase new certificates for all my sites?
Prior to switching the domain name or the host, you need to regenerate the certificate. Whether you need to buy a new or not, that depends on the issuer :) I have not made much SSL certificate purchases so I have no experience about how issuers deal with such situations. Perhaps contacting them and asking what happens when you switch a host - if it is OK to "change" the valid certificate.
Apollo wrote:If I remember correctly, I only specify a domain name when purchasing a certificate... Or is the IP enclosed in the CSR?
Basically you are specifying the IP too :), but not by entering it into a form. It's within the CSR you give to the issuer.
Apollo wrote:How do you mean, name-based hosting? Shared servers which serve multiple domain names? How does that rule out the possibility of encrypted requests? Isn't a tunnel created for each connection, prior to exchanging keys?
I must say that I do not remember the reason for this anymore. It's been a while since I have been dealing with SSL at all. I could also be wrong with this.
Apollo wrote:How does that apply here, or how does this enforce the necessity of a dedicated IP?
It's a strategy that the creators of SSL had in their minds while working on the system. This means that they did their best to prevent every possible unauthorized use of certificates so they tied the certificate to an IP.
Post Reply