Web and Mobile Development - Secure Sockets Layer

Activity Goals

The goals of this activity are:
  1. To explain the process underlying SSL and the digital certificate for authentication and encryption
  2. To create and attach a digital certificate to a RESTful service in node.js

The Activity

Directions

Consider the activity models and answer the questions provided. First reflect on these questions on your own briefly, before discussing and comparing your thoughts with your group. Appoint one member of your group to discuss your findings with the class, and the rest of the group should help that member prepare their response. Answer each question individually from the activity, and compare with your group to prepare for our whole-class discussion. After class, think about the questions in the reflective prompt and respond to those individually in your notebook. Report out on areas of disagreement or items for which you and your group identified alternative approaches. Write down and report out questions you encountered along the way for group discussion.

Model 1: SSL Certificates


const express = require('express')
const https = require('https')

const app = express();

// Usual routes
app.get('/test', (req, res) => {
    res.send("Hello World!");
});

const sslOptions = {
    key: fs.readFileSync('./private_key.pem'),
    cert: fs.readFileSync('./certificate_chain.pem'),
    ca: [
        fs.readFileSync('./cert_authority.cer') //,      
        // ...
    ],
    ciphers: [
        "ECDHE-RSA-AES128-SHA256",
        "DHE-RSA-AES128-SHA256",
        "AES128-GCM-SHA256",
        "RC4",
        "HIGH",
        "!MD5",
        "!aNULL"
        ].join(':'),            
};

const httpsServer = https.createServer(sslOptions, app);
httpsServer.listen(8443, () => {
    console.log("HTTPS Running");
});

// I suggest omitting this, otherwise you have a route that can be invoked in clear text!
const httpServer = http.createServer(app);
httpServer.listen(8080, () => {
    console.log("HTTP Running");
});

Questions

  1. What is an SSL Certificate Chain?
  2. What is a Certificate Authority?
  3. Using this command, generate and use your own SSL certificate: openssl genrsa -out private_key.pem && openssl req -new -key private_key.pem -out csr.pem && openssl x509 -req -days 9999 -in csr.pem -signkey private_key.pem -out certificate_chain.pem. Add these to a node.js program and invoke an endpoint over https.
  4. Did you get a warning from your browser and, if so, why?

Embedded Code Environment

You can try out these code examples in a development environment of your choice! Note that some embedded projects have multiple source files; you can see those by clicking the appropriate file tab to open that file.

Model 2: Signing of a Public Key by a Certificate Authority

PublicKeyCertificateDiagram It

Questions

  1. Although you can self-sign a certificate, why might it be more authoritative to have a trusted third party validate your identity and sign your key to form a certificate?

Model 3: SSL Handshake and Encryption

Read this Article on SSL Certificates

Questions

  1. Is the public/private key from the SSL certificate actually used to encrypt data between the client and server? Why or why not? If not, what is used instead?

Submission

I encourage you to submit your answers to the questions (and ask your own questions!) using the Class Activity Questions discussion board. You may also respond to questions or comments made by others, or ask follow-up questions there. Answer any reflective prompt questions in the Reflective Journal section of your OneNote Classroom personal section. You can find the link to the class notebook on the syllabus.