Over $6 billion is lost to identity theft each year. Some digital theft results from malicious programs like keyloggers and spyware, but unaware developers also introduce silent threats.
Unencrypted data is always dangerous. This blog focuses on data in transit, but similar principles apply to data at rest.
In the following sections, I demonstrate how to steal information from unencrypted web traffic and how to send data securely.
The Difference Between HTTP and HTTPS
I’ll focus on Hypertext Transfer Protocol (HTTP). It’s the protocol used every time you visit a website, yet nearly 20% of all websites still use the insecure version.
With normal HTTP, data transmits in plaintext. It’s a dangerous practice because it allows anyone to eavesdrop on the communication.
HTTPS means HTTP-Secure. And secure means your data is encrypted so no one can see it.
That’s all you need to know for now, but if you want to learn more, here’s a more in-depth resource detailing HTTPS and encryption.
Use Packet Sniffing to Hijack Credentials
In this tutorial, we’ll:
- Record all network communication using Wireshark.
- Add a filter to look for unencrypted web traffic.
- Steal data via an unencrypted endpoint.
- Request data via the browser.
- Submit login credentials using Insomnia.
- Review it all in Wireshark.
- Send data securely to an encrypted endpoint.
- Celebrate – the data doesn’t appear in plaintext!
Set up Wireshark to Monitor Traffic
Both a wired and wireless network will work the same. So long as you pick the “busy” one connected to your computer, you can capture data. It’s typically the first option.
After you’ve begun recording, type ‘http’ into Wireshark’s filter bar. This action highlights unencrypted web traffic.
You should see a blank screen – and that’s good! Unencrypted data flowing through your network should be a rare occurrence.
Steal Data via an Unencrypted Endpoint
I spun up an instance of my mock-Twitter microservice as the unencrypted endpoint for this blog. I’ll shut it down after, so if you’re following along, please navigate to this unencrypted endpoint instead, for example’s-sake.
First, I’ll request data about a known user. Their data appears both in my browser and in my Wireshark feed.
Next, I’ll post my login attempt. After sending my login credentials to the unsecured interface, they’re immediately available on my packet sniffer. Boom – like taking candy from an unencrypted baby.
Transfer Data Safely with Encryption
Now let’s repeat this over HTTPS. Due to the end-to-end encryption, I can’t eavesdrop on the traffic.
When I send the login request this time, Wireshark doesn’t pick it up. The packets still transfer over the network, but Wireshark won’t show them with the “http” filter because they appear like gibberish.
It’s worth stating that If you somehow stole the encryption key, you could theoretically intercept and decrypt the messages. That, however, is a challenging task.
How to Prevent Unencrypted Communication
So what’s required to ensure your web communication occurs over HTTPS? Here are the key elements.
Use a Signed Certificate to Allow HTTPS
HTTPS requires a certificate from a known Certificate Authority (CA). These certificates allow encryption by hosting the website’s public key (and validating the domain).
Generating self-signed certificates for testing is possible, but an official one is required in production. Let’s Encrypt is a popular free option that’s production-grade.
Use Firewalls to Prevent HTTP
It’s possible to prevent unencrypted web traffic with firewalls. In AWS, this means creating a security group that allows HTTPS inbound traffic over port 443 (but not HTTP over port 80).
Redirect HTTP to HTTPS
Often, servicing plain HTTP requests is needed to support legacy endpoints. One option is redirecting all HTTP requests to HTTPS to encrypt the communication. Spring Boot can enforce redirection for you.
Watch a Packet Sniffing Demonstration
This blog introduced the dangers of unencrypted web traffic. To see a live demonstration, watch the video below!