TLS encryption and PageKite

By Bjarni R. Einarsson 2018-07-26, 01:31

TLS (a.k.a. SSL) is an important technology for protecting the privacy of your communication on the web, using advanced mathematics to both scramble the messages (to prevent eavesdropping) and verify the identity of who you are communicating with.

There are three ways to use TLS encryption with a PageKite connected website. They are:

1. Automatic .pagekite.me, .testing.is and .302.is encryption
2. Self-signed TLS certificates
3. Commercial TLS certificates

Each of these has its own pros and cons, all of which are described in more detail below.

Note: This page discusses encryption using the PageKite Service. If you are running your own front-end, check the Technical manual instead.

1. Automatic .pagekite.me, .testing.is and .302.is encryption

At a glance:

• Zero configuration
• Compatible with all modern browsers
• Moderate security

The PageKite Service provides automatic TLS support for pagekites with names (domains) ending in .pagekite.me, .testing.is or .302.is (the latter two are only available to subscription customers).

Thus if your PageKite is http://user.pagekite.me/, you can enable encryption simply by using the HTTPS protocol prefix when linking to your page, like so: https://user.pagekite.me/.

This feature is automatic, is included with all PageKite accounts, and is compatible with all browsers with a recently updated list of official Certificate Authorities. Note that you do not need to define an https back-end in your pagekite.py configuration for this to work, it is automatically enabled for the default http back-end.

This feature is primarily useful for those who wish to prevent casual eavesdropping, such as might occur on shared networks in schools, internet cafés or at conferences.

There are a few limitations though, which you should be aware of:

• For maximum security, you should ensure that your PageKite tunnel (the connection between pagekite.py and our front-ends) must also be encrypted. This is the default.
• Your communication could be intercepted by pagekite.net employees, law enforcement or hackers who have compromised our systems (we do our best to make sure this does not happen).
• The encryption does not work correctly for subdomain kites, like subdomain.user.pagekite.me (any name with more than two dots will not work).
• Automatic encryption does not work with CNAME pagekites.

2. Self-signed TLS certificates

At a glance:

• Maximum security
• Modern browsers only
• Website visitors must approve a security exception

Self-signed TLS certificates provide the same encryption capabilities as other certificates, but depending on how they are used they can be either the most secure type of certificate, or the least secure.

Because they are not signed by a trusted party the browsers have no automated way of knowing if the certificate is valid for your domain or not. As a result, users will be presented with a warning dialog and must create a security exception before accessing the site. Granting such an exception is very secure, as long as the details of the certificate are examined and the SHA-1 fingerprint is verified using some secure side-channel - for example over the phone or using encrypted chat.

Certificates verified manually in this way are extremely secure - even governments would have difficulties intercepting such communications undetected.

However, if the fingerprint is not verified by hand, then the certificate could trivially be forged and communications intercepted and tampered with by a "man in the middle" using freely available tools.

Self-signed certificates work with all modern browsers that support the TLS SNI extension. Older browsers will not be able to access these sites.

Using a self-signed certificate

If you are using the pagekite.py built-in HTTP server, and have the openssl tools installed, then PageKite can generate a certificate for you and use it, using a command similar to this one:

$ pagekite.py --selfsign /path/to/folder KITE.pagekite.me

For more details, please see: ShareFilesSecurely

If you want to use a self-signed certificate with some other web server (e.g. Apache or nginx), please consult that server's documentation for details, and then fly your kite using a command like this:

$ pagekite.py 443 https://KITENAME.pagekite.me/

3. Commercial TLS certificates

At a glance:

• Industry standard security
• Requires you use your own domain
• Compatible with modern browsers only

In order to use a commercial certificate, you will need to have a domain of your own and configure a CNAME kite (see: CnamePageKites). Sometimes TLS certificates are included in domain name registration fees, otherwise free certificates can be obtained from StartCom.

Note that just like with self-signed certificates, only modern browsers which support the TLS SNI extension will be able to access these sites over PageKite.

Once you have installed your certificate, configured your web server and enabled the CNAME kite, you should be able to fly your kite using a command like this:

$ pagekite.py 443 https://www.yourdomain.com/