Third party cookies may be stored when visiting this site. Please see the cookie information.

Penguin Fortress YouTube Channel

Video transcript: Secure Raspberry Pi IOT with HTTPS - stop hackers with Wireshark demo

This is a transcript for a video linked here: Secure Raspberry Pi IOT with HTTPS - stop hackers with Wireshark demo.

Video transcript - Secure Raspberry Pi IOT with HTTPS - stop hackers with Wireshark demo




00:00:00.160 --> 00:00:06.800

in this video i'm going to explain about the

differences between http and https that one



00:00:06.800 --> 00:00:11.680

letter can make a big difference between how

secure a website is whether others can track



00:00:11.680 --> 00:00:17.360

your usage and how safe your submitted username

and passwords are to demonstrate this i'll be



00:00:17.360 --> 00:00:22.640

setting up a simple web server on a raspberry pi

i'll then show you how you can use wireshark a



00:00:22.640 --> 00:00:29.280

tool that hackers use to sniff the network with

this you'll see how insecure http is and how it



00:00:29.280 --> 00:00:35.040

can be made much safer through adding encryption

i'll be using a raspberry pi for the demonstration



00:00:35.040 --> 00:00:39.760

but you could follow along with other linux

computers or using a virtual machine if you prefer



00:00:41.040 --> 00:00:47.600

so let's get started i'm going to start by showing

a basic install of the nginx web server along with



00:00:47.600 --> 00:00:54.000

a very basic login script i'll be coming on to

how you can secure this later but in this version



00:00:54.000 --> 00:00:59.600

it's just going to be basic http no encryption

and just everything transmitted in plain text



00:01:00.880 --> 00:01:11.840

i started terminal i'm going to install

the nginx using sudo apt to install nginx



00:01:13.280 --> 00:01:15.840

and install a few more packages

so just click yes to that



00:01:25.040 --> 00:01:32.720

by default it's set up as a basic web server and

it'll serve files out of the default directory



00:01:32.720 --> 00:01:43.680

which is /var/www/html as you can see

there's a file called index.nginx-debian.html



00:01:45.600 --> 00:01:48.320

in there we don't need that

so we can just delete that



00:01:48.880 --> 00:01:53.840

just use sudo at the moment

so that we're using it as root



00:01:55.280 --> 00:02:03.280

and we'll replace that with our script i

had to use that as root but if i change the



00:02:03.280 --> 00:02:08.640

ownership to my own username my username here is

stewart but you change that to whatever you want



00:02:09.360 --> 00:02:17.440

then that will set it so that i can

write new files to that directory



00:02:18.480 --> 00:02:24.960

alternatively you'd have to be as root to be

able to edit that i do need to use that using



00:02:24.960 --> 00:02:30.880

the sudo command so just add that so it's

running as root change ownership to myself



00:02:30.880 --> 00:02:41.280

and now i can update as required to be able to use

php files we need to first install the fast-cgi



00:02:43.040 --> 00:02:50.480

package so that's sudo apt install php-fpm



00:02:55.920 --> 00:02:58.560

it's going to install a few

other packages as well just



00:02:59.600 --> 00:03:05.520

type yes and once we've installed this

there's a few parameters we just need to tweak



00:03:07.440 --> 00:03:18.080

to make it a little bit more secure so i'm

just going to add a or change a particular



00:03:18.080 --> 00:03:26.560

entry in that to tell php not to try

and execute the closest file it can find



00:03:27.920 --> 00:03:40.480

if the file can't be found it should just access

the file that we tell it to so that's in /etc/php



00:03:40.480 --> 00:03:47.840

and then the version in which

is 7.4 this version /fpm/php.ini



00:03:51.920 --> 00:04:02.720

and it's looking for cgi.fix_pathinfo that is

the entry just at the bottom of this screen



00:04:07.600 --> 00:04:14.160

so i'll just change that to a zero



00:04:14.160 --> 00:04:21.280

that's just going to make it a little bit

safer now uploaded a file called index.php



00:04:21.920 --> 00:04:31.280

to that fast www html directory now this is a very

basic script it's not really useful for anything



00:04:31.280 --> 00:04:42.160

really it's literally just going to take user

name and password and display that on the screen



00:04:42.160 --> 00:04:51.280

now you can see there it's called index.php now

nginx won't automatically serve index.php files



00:04:51.280 --> 00:05:02.240

or any php files so we need to add this

index.php as a default file in the config file



00:05:05.760 --> 00:05:11.520

and there you go there's a comment there

that says add index.php to list if using php



00:05:19.520 --> 00:05:30.960

so we also need to enable php cgi functionality

just by uncommenting this location section and



00:05:30.960 --> 00:05:40.400

the entry that says fast cgi pass unix and

then it's got the unix socket php reference



00:05:42.320 --> 00:05:49.040

save that we can just test

that file using nginx minus t



00:05:50.400 --> 00:05:55.920

i've missed the final brackets actually

go back into we can just add that



00:05:59.200 --> 00:06:02.560

yeah we have to comment that closing

bracket as well so close that now



00:06:03.120 --> 00:06:12.400

now we can run the test again and use

the reload and that's reloaded nginx



00:06:16.000 --> 00:06:25.200

just going to quickly show what that index.php

file does this is a web browser on another



00:06:25.200 --> 00:06:33.840

computer and i've just connected to that

the web server which is on 192.168.0.165.



00:06:34.720 --> 00:06:41.760

the file that's on there gives you this

login screen which is just a html form



00:06:42.640 --> 00:06:49.280

it allows you insert a username and password

that is passed to the index.php file



00:06:49.280 --> 00:06:53.600

but it doesn't actually do anything with it

it just comes back and shows your username



00:06:53.600 --> 00:06:59.760

regardless of what your password is so what

it actually does with it normally obviously



00:06:59.760 --> 00:07:03.760

that would be a back end login

process and things like that



00:07:03.760 --> 00:07:09.200

but this is purely for demonstration purposes

to show you what you can see using wireshark



00:07:10.880 --> 00:07:17.520

so i'm now going to install wireshark on the

raspberry pi that's acting as my web server



00:07:18.720 --> 00:07:23.760

and that's going to sniff the network interface

and show us the traffic that's going on



00:07:25.040 --> 00:07:32.960

this will be installed on the web server now that

a hacker would be trying to intercept this some



00:07:32.960 --> 00:07:40.240

other way perhaps connecting to the switch and

trying to intercept it that way or perhaps found



00:07:40.240 --> 00:07:45.920

some way of tapping into your connection otherwise

could be running a router or something similar



00:07:47.760 --> 00:07:53.040

i'm just going to install wireshark it's

in the standard software repository so i



00:07:53.040 --> 00:08:00.800

can just use sudo apt install wireshark i'm

gonna yes i'm gonna install these packages



00:08:07.040 --> 00:08:14.560

this allows you to use a group to be able to

run wireshark instead of running this route



00:08:16.800 --> 00:08:21.680

that's probably a good idea to do that so that

you don't have to run wireshark as root so



00:08:21.680 --> 00:08:29.120

i'm going to choose yes at this point and

install so that you just need to be in the



00:08:31.040 --> 00:08:39.840

wireshark group to be able to run this



00:08:45.760 --> 00:08:53.840

so now we can add ourselves to that group

which is done using the user mod command



00:08:56.240 --> 00:09:07.840

this is done using sudo usermod -a to append -G

for the group name and then your own username



00:09:09.920 --> 00:09:11.440

and that's added this to that group



00:09:13.760 --> 00:09:17.840

i am going to make a change to the

web server first just to disable



00:09:17.840 --> 00:09:25.760

gzip compression now gzip compression does

not add any extra security to a session



00:09:25.760 --> 00:09:30.080

but it does make it a little harder to read in

wireshark so that's why i'm going to turn it off



00:09:31.120 --> 00:09:36.720

also needs to be turned off before you use

https which is what i'm going to come to later



00:09:37.920 --> 00:09:44.320

so basically looking for the setting that says

gzip on and we'll just change that to gzip off



00:09:46.000 --> 00:09:49.840

the the benefit of using this

is that it saves on bandwidth



00:09:50.880 --> 00:09:57.360

by compressing files as they're sent over the

network i just need to restart the server now



00:10:01.280 --> 00:10:09.200

i'll just test the config file

first and then reload the web server



00:10:11.920 --> 00:10:19.040

now i can go into wireshark i'm going to put a

filter on this and see this has a capture filter



00:10:20.320 --> 00:10:27.520

wireshark has two types of filters this

is the capture set filter which reduces



00:10:27.520 --> 00:10:32.400

the amount of data that's captured you can also

put display filter which you can see at the top



00:10:33.120 --> 00:10:36.880

use the display filter it still captures

all the information but only displays



00:10:38.400 --> 00:10:46.240

what you filter out the benefit to using

capture filter is it's going to greatly reduce



00:10:46.240 --> 00:10:51.600

the amount of traffic that you see and save

so it's going to result in a smaller file



00:10:54.000 --> 00:10:57.120

the advantage to using display filters

you've still got that other information



00:10:57.120 --> 00:11:03.360

if you need to retrieve that

later so this is now showing the



00:11:05.040 --> 00:11:11.680

communication between the web server i've

just repeated that session in the browser



00:11:11.680 --> 00:11:18.080

where you sort of log on and we can see

the get request this is loading the initial



00:11:21.040 --> 00:11:27.840

page just using the / which say we

set up to return that index.php file



00:11:32.240 --> 00:11:33.840

and now this is the response



00:11:36.400 --> 00:11:42.400

and you can see this is the index.php file being

returned and you can see that it's got the form



00:11:42.400 --> 00:11:44.080

asking for a username and password



00:11:46.720 --> 00:11:53.360

and now we can move down and see the post file

which is the data being passed and this is where



00:11:53.360 --> 00:12:00.880

we logged in with the username and password

and lo and behold in a minute we will see



00:12:03.520 --> 00:12:08.240

at the bottom is your username and password



00:12:08.240 --> 00:12:15.120

sent in plain text clearly my username i

put test my password was test1password2



00:12:17.520 --> 00:12:24.640

as one word the the spacing in there is just for

convenience trying to read this but basically



00:12:26.800 --> 00:12:30.880

the real danger is that the

password was just sent plain text



00:12:31.440 --> 00:12:38.240

anybody who could physically get onto that

network and monitor traffic in this way



00:12:38.240 --> 00:12:44.560

can see your password being sent to and from and

obviously that's very dangerous you just need to



00:12:45.440 --> 00:12:52.640

stiff on the network find the password and then

you can log in as that person and this is why



00:12:52.640 --> 00:13:00.400

we need encryption this is a real big thing

imagine you entered your credit card details



00:13:02.640 --> 00:13:06.880

it basically allows somebody using

a sniffer to capture those details



00:13:07.920 --> 00:13:12.960

and then be able to use

them for malicious purposes



00:13:15.440 --> 00:13:19.840

and that's why we need

encryption on our web traffic



00:13:20.480 --> 00:13:25.040

before they can do that though they do need

to have a point of monitoring the network



00:13:26.720 --> 00:13:31.600

for instance i've installed wireshark

on the server itself but it doesn't



00:13:31.600 --> 00:13:36.320

need to be on the server it could be on any

intermediate point between you and that server



00:13:38.400 --> 00:13:43.760

a particular example would be that

you come across a public wi-fi network



00:13:44.640 --> 00:13:50.480

connect to that and it's actually a hacker's

network that's allowing you to connect to the



00:13:50.480 --> 00:13:56.800

internet but monitoring all that traffic at the

same time so you do need to be careful about



00:13:57.440 --> 00:14:03.280

what you do on public networks and also be

careful that you always on an encrypted site



00:14:04.880 --> 00:14:11.360

when giving away or using personal

information putting that in a website



00:14:13.280 --> 00:14:16.480

don't do that on something that just uses http



00:14:18.800 --> 00:14:27.520

so the solution is to encrypt the data encrypt the

data between your laptop or your web browser that



00:14:27.520 --> 00:14:34.720

you're using and the end server and that's

done by using a protocol known as https



00:14:36.240 --> 00:14:42.000

https is a way of encrypting the information so

that even if somebody intercepts the traffic they



00:14:42.000 --> 00:14:47.040

cannot understand it this is based on the use

of encryption keys that keep the message secret



00:14:47.680 --> 00:14:51.040

you also need certificates which

are used to prove who you are



00:14:52.320 --> 00:14:59.200

the technology behind https is called

secure sockets layer abbreviated to ssl



00:15:00.480 --> 00:15:04.880

actually usually it's normally based

on tls transport layer security



00:15:05.440 --> 00:15:13.840

which is the newer version of ssl and sometimes

this is referred to as ssl/tls or it's often that



00:15:13.840 --> 00:15:21.600

people just refer to it as ssl regardless

of whether it's ssl or tls and this may also



00:15:21.600 --> 00:15:29.440

depend on the browser and web server as they can

negotiate which version of a encryption key to use



00:15:31.120 --> 00:15:36.160

for example when tls was released then the

server may have been upgraded but the client not



00:15:36.160 --> 00:15:45.600

so in that case they may have negotiated to use

an ssl key instead if all that sounds confusing



00:15:45.600 --> 00:15:51.760

then don't worry you can just think of ssl and

tls as being the same thing tls is more secure



00:15:51.760 --> 00:15:58.640

but it's effectively just an updated version of

ssl if you're running a production website then



00:15:58.640 --> 00:16:03.040

you should get official certificates registered

through a trusted certificate authority



00:16:03.840 --> 00:16:07.920

this will mean that another organization

has said that you are who you claim to be



00:16:09.040 --> 00:16:14.480

but for this example i'll be using a local

web server just use for a maker project i'll



00:16:14.480 --> 00:16:19.440

be creating a self-signed certificate which

will result in a warning in your browser



00:16:20.400 --> 00:16:27.920

the process is similar as if you're using a

official certificate but there may be some



00:16:27.920 --> 00:16:34.880

extra steps required which your certificate

issuer should explain one example



00:16:35.840 --> 00:16:41.840

is let's encrypt which provides free certificates

which can be installed using their tool certbot



00:16:43.040 --> 00:16:47.440

note that let's encrypt is not the same as

using a commercial certificate authority



00:16:48.000 --> 00:16:54.880

they won't require you to prove who you are

and your certificate will not have the same



00:16:55.440 --> 00:17:03.600

trust relationship as if you go to a commercial

certificate provider the library used for this is



00:17:03.600 --> 00:17:12.160

openssl and we'll use the openssl tool to create

the encryption and certificates the first we can



00:17:12.720 --> 00:17:18.320

create the encryption keys and certificates

which are going to be used to secure the session



00:17:20.400 --> 00:17:25.600

i'm going to copy and paste this

i'll put this in on my website



00:17:28.080 --> 00:17:36.320

and this is using sudo to run as root

it's the open ssl command this sets



00:17:38.720 --> 00:17:50.400

various things about the encryption such as it

will expire in 365 days using an rsa 2048-bit



00:17:50.400 --> 00:18:00.800

key and this is where the key will be output and

this is where the certificate will be output too



00:18:04.080 --> 00:18:27.840

so it's going to ask some things

about the certificate that is uk



00:18:30.160 --> 00:18:33.840

the next one says asking

about the name of the server



00:18:34.880 --> 00:18:41.840

normally that would be fqdn fully qualified

domain name so that's such as www.penguintutor.com 



00:18:42.720 --> 00:18:48.400

or something like that in this case i'm

going to use the ip address of the server



00:18:51.440 --> 00:18:57.680

because it doesn't have a qualified domain

name and that's created the certificate



00:19:02.000 --> 00:19:07.280

i'm also going to create a diffie-hellman

group this is used for perfect forward



00:19:07.280 --> 00:19:12.160

secrecy essentially it's a way of

protecting past communications if



00:19:12.160 --> 00:19:16.400

the encryption key is broken in the future

so if somebody's able to capture the data now



00:19:18.000 --> 00:19:26.400

and then your key is broken in the future it

means they can't decrypt your old messages



00:19:30.480 --> 00:19:41.760

uses the open ssl command as well but

the dh perrami minus out slash etc



00:19:43.760 --> 00:19:51.840

i'll just put in the same search directory



00:19:54.080 --> 00:19:57.360

and so it says this is going to

take a long time so it's going to be



00:19:58.640 --> 00:20:00.480

not quite as quick as the previous



00:20:02.800 --> 00:20:05.840

keys



00:20:09.280 --> 00:20:20.400

okay so that's completed now and now we can update

the nginx web server to use these i'm going to



00:20:21.120 --> 00:20:33.600

make the changes in the sites file let's go

to genex if we look at this two folders one's



00:20:33.600 --> 00:20:38.880

called sites available and one's called sites

enabled these will show the same at the moment



00:20:41.680 --> 00:20:46.320

and so sites available is where you store

all the different kinds of sites that you



00:20:46.320 --> 00:20:52.240

want because a single web server

can serve up multiple websites



00:20:53.840 --> 00:20:58.960

and then when you enable them you

normally put a link to sites enabled



00:21:01.280 --> 00:21:04.480

and as you can see that's

the same one we'll just put a



00:21:04.480 --> 00:21:12.080

minor cell on that you'll see that this is a

link rather than the actual file now you could



00:21:12.080 --> 00:21:17.280

edit either file because of that link you'll

just be editing the same file regardless



00:21:17.920 --> 00:21:20.880

but it's actually the one that's in

sites available that's the standard file



00:21:22.080 --> 00:21:29.840

you may want to take a backup of this beforehand

so i thought let's do that it's going to



00:21:34.240 --> 00:21:41.120

cd to the site's available

and we'll just cp default



00:21:46.160 --> 00:21:55.200

because it's not copied into enabled then it won't

be enabled it's just there as a backup basically



00:21:57.760 --> 00:21:59.680

so you need to edit this as root



00:22:01.840 --> 00:22:03.280

so we use the sudo



00:22:06.800 --> 00:22:11.520

let's get rid of the port 80

entries at the moment so this is



00:22:11.520 --> 00:22:15.280

standard web server that's been

running so far which is on port 80.



00:22:17.280 --> 00:22:24.080

we will later on redirect those that will

be a bit later on in the file so come on



00:22:24.080 --> 00:22:31.760

a bit and enable these listen so we're going to

listen on port 443 which is what's used for ssl



00:22:34.960 --> 00:22:37.600

tell us about disabling

gzip we've already done that



00:22:38.240 --> 00:22:40.720

but if you hadn't then you

would have to do that as well



00:22:42.880 --> 00:22:52.960

and there's some information on creating a secure

configuration i'm going to be just putting a



00:22:52.960 --> 00:23:01.520

few basic settings on there you may want to

look at further ways of securing it further



00:23:05.840 --> 00:23:10.320

you change that server name to be the

ip address again you would normally use



00:23:10.320 --> 00:23:21.840

the website name fully qualified domain name



00:23:23.040 --> 00:23:24.480

and then i'm going to add



00:23:28.320 --> 00:23:29.440

some lines in fact



00:23:31.840 --> 00:23:35.840

i just realized



00:23:42.240 --> 00:23:45.120

then at the bottom of this

server section which is here



00:23:47.360 --> 00:23:50.720

i'm gonna put in the certificates so



00:23:52.800 --> 00:23:55.040

these are the certificates we're using



00:23:58.080 --> 00:24:08.960

so you've got the certificate the certificate key

and that dh param file that we created as well



00:24:12.480 --> 00:24:18.640

i'm also going to add some information

about the protocols we want to use



00:24:23.920 --> 00:24:24.960

put those in here



00:24:28.640 --> 00:24:31.840

there are various different

settings that you could use



00:24:36.640 --> 00:24:38.320

and there's just a few of them



00:24:45.040 --> 00:24:50.320

so that's the ssl part done i'm

going to just add one more section



00:24:51.360 --> 00:24:54.160

the right to the bottom i'm

going to add another server



00:24:54.880 --> 00:25:02.800

entry and this is going to redirect anything

coming in on port 80 the standard http to port



00:25:02.800 --> 00:25:11.280

443 the https server again i'm going to copy and

paste this so i'll include the code on my website



00:25:13.760 --> 00:25:16.720

again see the description for details of that



00:25:20.160 --> 00:25:24.240

so this is just saying that if

the host matches this ip address



00:25:26.640 --> 00:25:36.880

and we're listening on port 8 then return

301 redirect to go to the https version



00:25:41.760 --> 00:25:45.680

that's it created i'm just clear i'm going to run



00:25:48.560 --> 00:25:55.280

the test to see if there's any configuration

parameters it doesn't seem to like



00:25:55.280 --> 00:26:00.240

my ssl dh params let's go and have a look at that



00:26:03.920 --> 00:26:09.840

976.



00:26:11.600 --> 00:26:14.640

that i've just missed the semicolon off the end



00:26:17.440 --> 00:26:23.840

i can do that and try testing again

yep it's okay test is successful



00:26:28.240 --> 00:26:36.400

so now we can reload our because of the changes

i'm going to do a full system a full restart



00:26:36.400 --> 00:26:46.320

of the server rather than just to reload so

i'll do that using a system control restart



00:26:51.280 --> 00:26:54.400

i can just check the status on that

make sure it's started correctly



00:26:56.960 --> 00:27:01.280

yeah it looks like it so i've

switched to my laptop now



00:27:02.000 --> 00:27:07.680

so i'm on a different computer to the raspberry pi

that's for hosting the web server i can now put in



00:27:11.520 --> 00:27:18.720

the address and as you see it's come up with

a scary message this is because we've got



00:27:18.720 --> 00:27:25.840

a self-signed certificate so what you can see

is that i although i only typed in without the



00:27:25.840 --> 00:27:35.280

https it's gone to the https site but it's put

strike through your connection is not private



00:27:37.120 --> 00:27:45.280

be careful what information you give basically

and it shows that the security certificate



00:27:45.280 --> 00:27:50.000

is not trusted and that's because

it's a self-signed certificate so



00:27:50.960 --> 00:27:59.040

if you ever get this on a normal website then stop

what you're doing and verify before you proceed



00:27:59.840 --> 00:28:06.480

but because this is a self-signed certificate

i was expecting this so it's safe to carry on



00:28:07.760 --> 00:28:10.880

and there's more information on here and it says



00:28:13.360 --> 00:28:16.720

that it's basically not been signed by anybody



00:28:22.400 --> 00:28:24.240

the issuer is is just myself



00:28:28.320 --> 00:28:38.080

so we can click proceed as you see we've got

the website before we can put in a past username



00:28:43.280 --> 00:28:47.280

password and it works in the

same way as it did before



00:28:48.560 --> 00:28:53.680

and now we can take a look at wireshark

and see what we can see using that



00:28:55.360 --> 00:29:00.480

i'm back on the raspberry pi now

i'm going to start wireshark again



00:29:02.880 --> 00:29:07.440

i do need to change my filter a little this

time because i want to be able to watch



00:29:07.440 --> 00:29:13.920

both port 80 and port 443 http and port and https



00:29:19.200 --> 00:29:22.400

port 80 or port



00:29:24.480 --> 00:29:25.840

443



00:29:29.200 --> 00:29:39.840

so i can set that go in



00:29:40.400 --> 00:29:48.640

so capturing from ethernet zero potential four

four three so if i now go on to the browser



00:29:52.880 --> 00:29:56.080

and this first bit has just



00:29:58.240 --> 00:30:02.240

loaded the first page i'm

going to put my username in now



00:30:05.360 --> 00:30:07.840

and submit the password



00:30:09.680 --> 00:30:14.400

all right so we can now take a look through

the traffic so there's quite a bit more



00:30:14.400 --> 00:30:26.800

traffic than before and see what it's found

so we can see these are some tcp handshakes



00:30:29.920 --> 00:30:35.840

so here's the handshake and during the

handshake it's basically turned around and said



00:30:37.680 --> 00:30:43.760

you're not accepted on port 80

you need to go to port 443 instead



00:30:46.320 --> 00:30:53.120

so then it starts the handshake again with

port 443 and we've got the client hello



00:30:54.880 --> 00:31:05.760

you can see it's http 1.1 but then everything

else is encrypted so server hello and



00:31:05.760 --> 00:31:11.520

again i have encrypted handshake you can't

even see which pages they're asking for



00:31:14.000 --> 00:31:23.840

I did get a certificate annouince here and

then we accepted that and then carried on so



00:31:25.280 --> 00:31:31.840

sends the request again so this

is the quest for the web page



00:31:36.160 --> 00:31:36.560

and



00:31:39.280 --> 00:31:46.160

basically none of this data is of

any use to the application data



00:31:46.160 --> 00:31:49.440

you can't make out what the page said



00:31:52.160 --> 00:31:59.840

and you certainly can't see any usernames or

passwords all you see is this encryption related



00:32:01.200 --> 00:32:08.160

traffic and then this is finishing

the handshake yeah so as you can see



00:32:10.240 --> 00:32:15.600

it's all nice and secure now and this is

exactly what we want we need to make sure



00:32:15.600 --> 00:32:21.520

that any data we send if

somebody is sniffing the network



00:32:24.000 --> 00:32:31.920

they basically just get encrypted data

they cannot see what pages you've requested



00:32:33.680 --> 00:32:39.200

what the information on that page was and they

definitely can't see your username or password



00:32:39.200 --> 00:32:45.920

as it was exchanged but as you can see i'll

bring up the the browser this is what we see



00:32:48.320 --> 00:32:58.480

and it's allowed us to log in so as you can see

on this video basically looked at using http and



00:32:58.480 --> 00:33:04.560

as you can clearly see you can use a tool such

as wireshark monitor the network and you can



00:33:05.120 --> 00:33:10.800

see exactly what is going on between the server

and the client you can see what web pages were



00:33:10.800 --> 00:33:15.840

accessed you could see the data that was going

backwards and forwards and crucially you could



00:33:15.840 --> 00:33:21.120

see the username and password and that would apply

if you put anything into http that could include



00:33:21.120 --> 00:33:29.920

credit card details etc really it's not secure

it's you could still use it for just browsing



00:33:31.120 --> 00:33:35.440

normal websites as long as you don't mind

people being able to see your history



00:33:36.960 --> 00:33:41.600

but you definitely won't want to use

it for passing any secure information



00:33:42.960 --> 00:33:49.680

and then you've seen how we can improve our

security by reconfiguring our web server to use



00:33:50.880 --> 00:34:00.560

tls/ssl security use that encryption

encrypts the data so that you cannot



00:34:02.560 --> 00:34:08.800

read it you cannot understand it you can capture

it but unless you know the encryption keys which



00:34:08.800 --> 00:34:14.880

are kept securely on the server you can't

understand what the conversation's saying



00:34:14.880 --> 00:34:22.000

and obviously that is much more important from a

security point of view that is how banks protect



00:34:22.000 --> 00:34:31.520

your information how your information is protected

when you put in your credit card informations



00:34:33.280 --> 00:34:39.440

it's really important that you always check

that you do get these secure padlocks on your



00:34:39.440 --> 00:34:47.840

web browser when you're going to a website and

you're entering personal information like that



00:34:49.920 --> 00:34:57.520

as we showed here we used a self-signed

certificate that means the web browser is



00:34:57.520 --> 00:35:06.400

not able to verify that as a valid certificate and

that's why we got a warning message you could use



00:35:06.400 --> 00:35:10.960

a free service like let's encrypt or you could use

a commercial service which will give you a proper



00:35:11.680 --> 00:35:21.040

signed certificate to say that they have proved

that it is you that is running that website



00:35:23.520 --> 00:35:28.000

so i hope this has been useful

if it has please give it a like



00:35:28.000 --> 00:35:33.200

if you found anything new please leave a

comment let me know what you think of it



00:35:35.360 --> 00:35:41.600

if you've not already subscribed please do so

and click the notification icon to get notified



00:35:41.600 --> 00:35:47.840

of when i create future videos i'll be looking

at other security related aspects on this channel



00:35:48.720 --> 00:35:54.400

both hands-on practical like this demonstration

with wireshark but also some of the theory



00:35:54.400 --> 00:35:59.280

as well so if you're interested in

learning more about cyber security then



00:35:59.840 --> 00:36:05.760

please do subscribe thank you for watching i

look forward to seeing you on a future video





Please note that this should only be used against systems where you have appropriate permissions.

Previous Application Security Testing
Application Security Testing