Protecting Your Website From Sniffers

Securing your site is one of the most important thing to note when creating and managing your own website. What most people do is to use SSL certificates to apply encryption for their website processes. But the question is, are they really secured?

One of the things I've managed for the past few days was to made sure that one of the website we created was really secured even though we used SSL for it.

SSL and Sniffers, what are they?

An SSL (Secure Sockets Layer), simply, is a technology commonly used to encrypt data transfers between a web server and the browser. This ensures that the data being pass between the the server and client are private and safe through encryption. SSL certificates are commonly used for websites that allows transaction and database managing that stores important information.

A sniffer is a technique commonly used by hackers to gather information, steal data and/or spy on network activity. Technically it intercepts in the network and listen or logs information such as usernames and passwords being passed in the network. So yeah, even having SSL could not protect you completely specially with sniffers on the network.

Other things to watch for...

Well here lists are few items to check on to be sure that everything is fine.

1. Hide your server information specially those version numbers!

   
   They say that the best way to attack an enemy is to attack it from the inside. Since the most effective way of destroying a system is to know how it works, then just by knowing the version of your software (like Apache) someone might actually find a way to hack in your system.
   
   
   
   Default error pages for 404 and 500 shows OS and server's version even without sniffing. Most of the time it may include other software related information.
   
   To resolve this, make sure to edit your Apache configuration (either httpd.conf or apache2.conf, depending on your version) and add this two lines
   
   

   ServerSignature Off
   ServerTokens Prod

   
   If you are using WHM, you may find a setting there that can do this without going to the file itself.
   
   

2. Cross Frame Scripting

   This method is used to place a web page of the target site inside of an iframe (HTML frame). With this, exploiters usually direct users in a controlled website and use frame to display the target website. This way, clients or users may see the website as the site they wanted to visit and yet they don't know they are actually on a different website.
   
   There are two methods of solving this (NOTE: Even though this method is not completely bulletproof, I recommend using these both at the same time)
   
   
   1. Via Meta tags: <meta http-equiv='X-Frame-Options' content='deny'>
      
      
   2. Via HTML/CSS/JS:
      
      Add this CSS on your HTML:
      

      <style id='hideBody'>.body{display:none !important;}</style>

      
      Then in your HTML, add a class body in your body tag, similar to this:
      <body class='body' >
      
      Then at the bottom, add this JS:
      

      <script language='javascript' type='text/javascript'>     
       if (self === top) {
        var a = document.getElementById('hideBody');
        a.parentNode.removeChild('hideBody');
       } else {
        top.location = self.location;
       }
      </script>
          

      
      Technically, this code is used to detect if the web page is loaded in an iframe. If yes, reload URL with the web page's address. Else, just remove the CSS that hides the content.
      
   
   

3. Weak Cipher and protocol issue

   
   Ciphers is a combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms. This is used to negotiate the security settings for a network connection using the Transport Layer Security (TLS) / Secure Sockets Layer (SSL) network protocol.
   
   Honestly, I'm still working on my knowledge on this ciphering thing and I don't know much about this though one of the things I've done (as instructed by Security testers) is to restrict the protocols mentioned above (meaning I have to disable both SSL 3.0 and SSL 2.0). To do so, simply add this to your Apache configuration.
   
   SSLProtocol all -SSLv2 -SSLv3
   
   Also, weak cipher suites should also be disabled. Technically, I usually retain strong encryption and above only (128bits for strong, 256 for very strong). Having weak cipher suites is not advisable since it can be easily exploited by hackers. You can start with this cipher suite configuration (added at the Apache configuration). Though you can play with later on:
   
   SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW
   
   I would not discuss here how to create nor how to read the cipher string but reading to the openssl website might help you understand it better.
   
   You may also check SSL Labs for checking your configuration.
   
   

4. Security Flag for an SSL cookie

   
   When using SSL certificates, make sure that all your connections are really secured -- this includes your cookies.
   
   Resolving this is usually, language or framework dependent. For PHP users, it is as simple as adding (or commenting out) session.cookie_secure = 1 in your php.ini
   
   
   
   For rails users like me, you can add config.force_ssl = true on your configuration (I advise placing it inside environments/production.rb since you'll rarely need it on development mode).
   
   

5. Don't relax with just FTP

   
   FTP is fine if you are just transferring data though we can always make it more secure.
   
   First is to disable anonymous login, enabling this is like inviting hackers to your house so that they can throw trashes or bombs inside.
   
   You can also use SFTP or FTPS to secure this. Which means you can close the usual port (21) and instead use the SSH port (22).