Newer
Older
labs / tiddlers / content / labs / lab13 / $__Labs_13_Testing the HTTPS Encryption.md

NOTE THAT THIS WAS MOVED OUT OF THE PREVIOUS SECTION DUE TO LOCKDOWN AND LACK OF NETWORK SNIFFERS.

  1. We should check that the HTTP communication is actually being encrypted. You can run a network sniffer to check this. Open a terminal and run the following command:

    tcpflow port 8080

    If your server is not running on port 8080 then change the number to match your port.

    This network sniffer will only monitor traffic on localhost and can not be used to monitor regular network traffic. It would make the ITS security staff very grumpy if we let you do that.

    This terminal will be monitoring the normal unencrypted HTTP traffic that your server is seeing.

  2. Open another terminal and run the following command:

     tcpflow port 8443

    This terminal will be monitoring the encrypted HTTPS traffic that your server is seeing.

  3. Open the normal http:// link in a browser, and register a new customer account through your web application.

    Look in the first terminal. Note that the customer's details including their password are displayed in clear text in the tcpflow output. Clearly, there isn't much in the way on encryption going on here --- everything is there to be seen by a malicious party who is sniffing the network.

  4. Repeat the process using the https:// link, and check the second terminal. You should only see gibberish in the tcpflow output. A network sniffer will still have access to the data travelling over the network, but it is now encrypted, and useless to a malicious party.

  5. You can hit < c">> to stop tcpflow, and then exit both terminals.