TLS (a.k.a. SSL) is an important technology for protecting the privacy of your communication on the web, using advanced mathematics to both scramble the messages (to prevent eavesdropping) and verify the identity of who you are communicating with.
There are three ways to use TLS encryption with a PageKite connected website. They are:
Each of these has its own pros and cons, all of which are described in more detail below.
Note: This page discusses encryption using the PageKite Service. If you are running your own front-end, check the Technical manual instead.
At a glance:
The PageKite Service provides automatic TLS support for pagekites with names (domains) ending in .pagekite.me, .testing.is or .302.is (the latter two are only available to subscription customers).
Thus if your PageKite is http://user.pagekite.me/, you can enable encryption simply by using the HTTPS protocol prefix when linking to your page, like so: https://user.pagekite.me/.
This feature is automatic, is included with all PageKite accounts, and is compatible with all browsers with a recently updated list of official Certificate Authorities. Note that you do not need to define an https
back-end in your pagekite.py
configuration for this to work, it is automatically enabled for the default http
back-end.
This feature is primarily useful for those who wish to prevent casual eavesdropping, such as might occur on shared networks in schools, internet cafés or at conferences.
There are a few limitations though, which you should be aware of:
At a glance:
Self-signed TLS certificates provide the same encryption capabilities as other certificates, but depending on how they are used they can be either the most secure type of certificate, or the least secure.
Because they are not signed by a trusted party the browsers have no automated way of knowing if the certificate is valid for your domain or not. As a result, users will be presented with a warning dialog and must create a security exception before accessing the site. Granting such an exception is very secure, as long as the details of the certificate are examined and the SHA-1 fingerprint is verified using some secure side-channel - for example over the phone or using encrypted chat.
Certificates verified manually in this way are extremely secure - even governments would have difficulties intercepting such communications undetected.
However, if the fingerprint is not verified by hand, then the certificate could trivially be forged and communications intercepted and tampered with by a "man in the middle" using freely available tools.
Self-signed certificates work with all modern browsers that support the TLS SNI extension. Older browsers will not be able to access these sites.
If you are using the pagekite.py
built-in HTTP server, and have the openssl
tools installed, then PageKite can generate a certificate for you and use it, using a command similar to this one:
$ pagekite.py --selfsign /path/to/folder KITE.pagekite.me
For more details, please see: ShareFilesSecurely
If you want to use a self-signed certificate with some other web server (e.g. Apache or nginx), please consult that server's documentation for details, and then fly your kite using a command like this:
$ pagekite.py 443 https://KITENAME.pagekite.me/
At a glance:
In order to use a commercial certificate, you will need to have a domain of your own and configure a CNAME kite (see: CnamePageKites). Sometimes TLS certificates are included in domain name registration fees, otherwise free certificates can be obtained from StartCom.
Note that just like with self-signed certificates, only modern browsers which support the TLS SNI extension will be able to access these sites over PageKite.
Once you have installed your certificate, configured your web server and enabled the CNAME kite, you should be able to fly your kite using a command like this:
$ pagekite.py 443 https://www.yourdomain.com/
Comments
But if you don't, then yes the connection between your device and the relay is encrypted by default (you can switch it off), and if you're using our TLS wildcard and https:// URLs, then the connection between the client and relay is also separately encrypted.
http://name.pagekite.me/
automatically switches to:
https://name.pagekit.me/