labs / tiddlers / content / labs / lab11 / _Labs_11_Testing the HTTPS

<>This section can only be done while using the Linux desktop. There is no functional equivalent of tcpflow for Windows or Mac --- there are versions of tcpflow for Mac and Windows floating around, but they can't be used for capturing the network traffic which makes them useless for our purposes. The httpcat program is effectively a man-in-the-middle proxy, so always has access to the unencrypted version of the traffic which also makes it useless for testing if HTTPS is working.

  1. We should check that the HTTP communication is actually being encrypted. You can run a network sniffer to check this. Open a terminal and run the following command:

    tcpflow port 8080

    If your server is not running on port 8080 then change the number to match your port.

    This network sniffer will only monitor traffic on localhost and can not be used to monitor regular network traffic. It would make the ITS security staff very grumpy if we let you do that.

    This terminal will be monitoring the normal unencrypted HTTP traffic that your server is seeing.

  2. Open another terminal and run the following command:

     tcpflow port 8443

    This terminal will be monitoring the encrypted HTTPS traffic that your server is seeing.

  3. Open the normal http:// link in a browser, and register a new customer account through your web application.

    Look in the first terminal. Note that the customer's details including their password are displayed in clear text in the tcpflow output. Clearly, there isn't much in the way on encryption going on here --- everything is there to be seen by a malicious party who is sniffing the network.

  4. Repeat the process using the https:// link, and check the second terminal. You should only see gibberish in the tcpflow output. A network sniffer will still have access to the data travelling over the network, but it is now encrypted, and useless to a malicious party.

  5. You can hit < c">> to stop tcpflow, and then exit both terminals.