<>This section can only be done while using the Linux desktop. There is no functional equivalent of
for Windows or Mac --- there are versions of
for Mac and Windows floating around, but they can't be used for capturing the network traffic which makes them useless for our purposes. The
program is effectively a man-in-the-middle proxy, so always has access to the unencrypted version of the traffic which also makes it useless for testing if HTTPS is working.
We should check that the HTTP communication is actually being encrypted. You can run a network sniffer to check this. Open a terminal and run the following command:
tcpflow port 8080
If your server is not running on port
8080 then change the number to match your port.
This network sniffer will only monitor traffic on
localhost and can not be used to monitor regular network traffic. It would make the ITS security staff very grumpy if we let you do that.
This terminal will be monitoring the normal unencrypted HTTP traffic that your server is seeing.
Open another terminal and run the following command:
tcpflow port 8443
This terminal will be monitoring the encrypted HTTPS traffic that your server is seeing.
Open the normal
http:// link in a browser, and register a new customer account through your web application.
Look in the first terminal. Note that the customer's details including their password are displayed in clear text in the
tcpflow output. Clearly, there isn't much in the way on encryption going on here --- everything is there to be seen by a malicious party who is sniffing the network.
Repeat the process using the
https:// link, and check the second terminal. You should only see gibberish in the
tcpflow output. A network sniffer will still have access to the data travelling over the network, but it is now encrypted, and useless to a malicious party.
You can hit < c">> to stop
tcpflow, and then exit both terminals.