labs / tiddlers / content / labs / lab11 / _Labs_11_Transport Encryption (HTTPS).md

Our web application is using plain HTTP. We need to be using transport encryption to protect the customer's details as they are travelling over the network. This is even more important since we are using Basic Access Authentication (or would be if you implemented the authentication bonus task), which means our authentication token is susceptible to hijacking via network sniffing --- any time you are using token-based authentication, you need to also be using transport encryption (there are some exceptions to this rule, but in general, authentication tokens need to be protected).

In order to use TLS (Transport Layer Security) we need to create an X.509 certificate that will be used to encrypt the HTTP messages. HTTP that is encrypted via TLS is commonly known as 'HTTPS'. Note that TLS is an evolution of SSL (Secure Sockets Layer) which has been deprecated for many years, but people still regularly refer to TLS as SSL.

The traditional way to do this during development is to create and use a 'self-signed' certificate. Once we are ready to deploy the completed system to a production server we would obtain and use a certificate that is signed by a recognised CA (Certificate Authority) and use this instead of the self-signed certificate. However, browsers, server software, and libraries are becoming more picky about the certificates that they are willing to use, so using self-signed certificates is no longer a valid option. Our only remaining option is to create and use a certificate that is signed by a CA key that is trusted by the operating system and web browsers.

Luckily, we can create our own CA certificate and signing key and register the certificate with the operating system and browsers. We can then use this CA key to sign any other certificates that we create. These signed certificates will then be trusted by the web browsers and server software, and everything should work. The process of doing all of this can be a bit tricky, but there is a tool called mkcert that does most of the work for us. You can read more about mkcert at: