How to automatically redirect the WordPress login and admin pages from HTTP to HTTPS

Posted on November 16th, 2011 webmaster No comments          Print

I always get worried every time I have to login to a website over a non-SSL enabled connection.  When my blog didn’t support SSL (before I migrated from a shared host to my own VPS) and I had to work on it at a coffee shop, I would sometimes change my password when I get home, which of course is still not that secure as my blog is hosted outside my local network which I have no control over.

A computer with a network card (wired or wireless) that supports promiscuous mode can easily sniff out packets coming in and out of other devices on the same local network the computer belongs to using tools like Wireshark.  So if you’re using a public wireless access point, for example, other computers connected to that same wireless access point could see the data you’re sending and receiving over the network.

Even if the login form hashes the password first (using one-way hashing algorithms such as MD5 or SHA-1), most users probably have passwords that aren’t that strong/complex, allowing the attacker to brute-force the hashed passwords in a reasonable amount of time.  Advancement in GPU technology and tools like IGHashGPU make cracking passwords much, much faster.

There are also tools like Firesheep for Firefox which allows attackers to impersonate you by hijacking your session cookies since its content can be retrieved in plain text over an unencrypted connection.

Automatically redirecting all WordPress pages that send out authentication-related information from HTTP to HTTPS could prevent these types of attacks.

If you have full control over your WordPress installation, this is very easy to do.  Just edit the wp-config.php file in the root directory of your WordPress installation and add the highlighted line below before /* That’s all, stop editing! Happy blogging. */.

define('WP_DEBUG', false);

/**
* Force SSL on login and admin pages.
*/
define('FORCE_SSL_ADMIN', true);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
        define('ABSPATH', dirname(__FILE__) . '/');

More information can be found here: http://codex.wordpress.org/Administration_Over_SSL

If you don’t have full control over your WordPress installation (such as in a shared hosting environment), you can give this plugin a try: http://wordpress.org/extend/plugins/wordpress-https/

Extra secure, automated, offsite backup with TrueCrypt and Dropbox

Posted on August 3rd, 2011 webmaster No comments          Print

I love Dropbox, it really does simplify my life.

If you’ve never used Dropbox before, you should definitely check it out as it’s a very painless way to synchronize files from multiple computers and supports all major operating systems, including mobile platforms (it’s free for up to 2GB).  Your data is stored offsite so if someone breaks in to your home, steals your computer and that external hard drive lying next to it where you store all your backups, getting your data back is as simple as getting a new computer, installing the Dropbox client software and re-synchronizing your files.  You can also get access to your files via their website, so you can pretty much access your files from anywhere.

It works really well for me as I do development work on two different machines: I have a laptop I normally keep at home and a netbook for travel or when I just want to do work somewhere else, like a bookstore or a coffee shop.  Most of the time I have internet connection where I’m working at so I just keep my project files in my Dropbox folder and when I go home and turn on my main laptop all the changes are automatically synchronized.  I also have an Android tablet/phone (Dell Streak) and there are times when I needed to transfer files to it so I just use Dropbox to do that as well.  Another big plus is they keep a one month change history of your files so you can revert back to previous versions or recover deleted files!

The connection between your computer and the Dropbox server is also SSL encrypted using 256-bit AES encryption so it’s safe from packet sniffing.  However, things like this happen.  The people maintaining the Dropbox servers probably also have full access to your files. So if you have really sensitive data you’d like to keep in Dropbox you would probably want to put another layer of security, and this is where TrueCrypt comes in.

Read the rest of this entry »

How to use client certificate authentication with Suds

Posted on July 15th, 2011 webmaster No comments          Print

This is related to my last post.  I was finally able to communicate to an SSL-enabled SOAP service with my computer behind a proxy but then ran into another problem: certificate-based authentication.

Suds actually doesn’t support certificate authentication directly, but fortunately someone created a custom transport for it: http://stackoverflow.com/questions/6277027/suds-over-https-with-cert

I tried his code but then ran into connection issues again, I had to modify it a little bit to include the proxy settings in the transport. Here’s the slightly modified code, I basically just added a proxy handler to his transport:

import urllib2 as u2
from suds.client import Client
from suds.transport.http import HttpTransport, Reply, TransportError
import httplib

class HTTPSClientAuthHandler(u2.HTTPSHandler):
    def __init__(self, key, cert):
        u2.HTTPSHandler.__init__(self)
        self.key = key
        self.cert = cert

    def https_open(self, req):
        # Rather than pass in a reference to a connection class, we pass in
        # a reference to a function which, for all intents and purposes,
        # will behave as a constructor
        return self.do_open(self.getConnection, req)

    def getConnection(self, host, timeout=300):
        return httplib.HTTPSConnection(host, key_file=self.key,
                                       cert_file=self.cert)

class HTTPSClientCertTransport(HttpTransport):
    def __init__(self, key, cert, proxy_settings=None, *args, **kwargs):
        HttpTransport.__init__(self, *args, **kwargs)
        self.key = key
        self.cert = cert
        self.proxy_settings = proxy_settings

    def u2open(self, u2request):
        """
        Open a connection.
        @param u2request: A urllib2 request.
        @type u2request: urllib2.Requet.
        @return: The opened file-like urllib2 object.
        @rtype: fp
        """
        tm = self.options.timeout

        https_client_auth_handler = HTTPSClientAuthHandler(self.key,
                                                           self.cert)

        # Add a proxy handler if the proxy settings is specified.
        # Otherwise, just use the HTTPSClientAuthHandler.
        if self.proxy_settings:
            proxy_handler = u2.ProxyHandler(self.proxy_settings)
            url = u2.build_opener(proxy_handler, https_client_auth_handler)
        else:
            url = u2.build_opener(https_client_auth_handler)

        url = u2.build_opener()

        if self.u2ver() < 2.6:
            socket.setdefaulttimeout(tm)
            return url.open(u2request)
        else:
            return url.open(u2request, timeout=tm)

# Test #
if __name__ == '__main__':
    key= r'D:\key_nopass.pem'
    cert = r'D:\cert.pem'
    proxy_settings = {'https': 'http://user:password@host:port'}
    transport = HTTPSClientCertTransport(key, cert, proxy_settings)

    service_url = 'https://services.domain.com/test/hello.wsdl'
    client = Client(service_url, transport=transport)
    print client

His code also only supports certificates/keys in PEM format so you may need to convert your client certificate.  In our case, we were issued a PKCS#12 certificate and we had to extract the key and certificate to PEM format using OpenSSL:

Extract the key:

openssl.exe pkcs12 -nocerts -in ClientCert.p12 -out key.pem

Extract the certificate:

openssl.exe pkcs12 -clcerts -nokeys -in ClientCert.p12 -out cert.pem

You may also want to remove the passphrase from the key:

openssl.exe rsa -in key.pem -out key_nopass.pem