the fast, reliable localhost tunneling solution


TLS encryption and PageKite

By Bjarni R. Einarsson 2015-01-17, 03:28

TLS (a.k.a. SSL) is an important technology for protecting the privacy of your communication on the web, using advanced mathematics to both scramble the messages (to prevent eavesdropping) and verify the identity of who you are communicating with.

There are three ways to use TLS encryption with a PageKite connected website. They are:

  1. Automatic .pagekite.me, .testing.is and .302.is encryption
  2. Self-signed TLS certificates
  3. Commercial TLS certificates

Each of these has its own pros and cons, all of which are described in more detail below.

Note: This page discusses encryption using the PageKite Service. If you are running your own front-end, check the Technical manual instead.

1. Automatic .pagekite.me, .testing.is and .302.is encryption

At a glance:

The PageKite Service provides automatic TLS support for pagekites with names (domains) ending in .pagekite.me, .testing.is or .302.is (the latter two are only available to subscription customers).

Thus if your PageKite is http://user.pagekite.me/, you can enable encryption simply by using the HTTPS protocol prefix when linking to your page, like so: https://user.pagekite.me/.

This feature is automatic, is included with all PageKite accounts, and is compatible with all browsers with a recently updated list of official Certificate Authorities. Note that you do not need to define an https back-end in your pagekite.py configuration for this to work, it is automatically enabled for the default http back-end.

This feature is primarily useful for those who wish to prevent casual eavesdropping, such as might occur on shared networks in schools, internet caf├ęs or at conferences.

There are a few limitations though, which you should be aware of:

2. Self-signed TLS certificates

At a glance:

Self-signed TLS certificates provide the same encryption capabilities as other certificates, but depending on how they are used they can be either the most secure type of certificate, or the least secure.

Because they are not signed by a trusted party the browsers have no automated way of knowing if the certificate is valid for your domain or not. As a result, users will be presented with a warning dialog and must create a security exception before accessing the site. Granting such an exception is very secure, as long as the details of the certificate are examined and the SHA-1 fingerprint is verified using some secure side-channel - for example over the phone or using encrypted chat.

Certificates verified manually in this way are extremely secure - even governments would have difficulties intercepting such communications undetected.

However, if the fingerprint is not verified by hand, then the certificate could trivially be forged and communications intercepted and tampered with by a "man in the middle" using freely available tools.

Self-signed certificates work with all modern browsers that support the TLS SNI extension. Older browsers will not be able to access these sites.

Using a self-signed certificate

If you are using the pagekite.py built-in HTTP server, and have the openssl tools installed, then PageKite can generate a certificate for you and use it, using a command similar to this one:

$ pagekite.py --selfsign /path/to/folder KITE.pagekite.me

For more details, please see: ShareFilesSecurely

If you want to use a self-signed certificate with some other web server (e.g. Apache or nginx), please consult that server's documentation for details, and then fly your kite using a command like this:

$ pagekite.py 443 https://KITENAME.pagekite.me/

3. Commercial TLS certificates

At a glance:

In order to use a commercial certificate, you will need to have a domain of your own and configure a CNAME kite (see: CnamePageKites). Sometimes TLS certificates are included in domain name registration fees, otherwise free certificates can be obtained from StartCom.

Note that just like with self-signed certificates, only modern browsers which support the TLS SNI extension will be able to access these sites over PageKite.

Once you have installed your certificate, configured your web server and enabled the CNAME kite, you should be able to fly your kite using a command like this:

$ pagekite.py 443 https://www.yourdomain.com/

Comments

  1. Micah Nordland said on 2015-04-23, 03:57
    Note that SSL3 is enabled and even if you use your own cert and configure your server to not support it, it will affect your SSLLabs grade. As far as I know, your browser gets the right one. I also don't know what effect on security it has.
    Permalink

Leave a comment

( (Please leave these blank: )

We use Gravatar for commenter's photos. Get your own, it's free!

Wiki

Links