Do I need to associate my backend API server with a domain name to get an SSL certificate for it (HTTPS)?

I have developed my DRF back-end API locally, deployed it on an AWS Lightsail instance (with a public static IP) and I now want to secure it with HTTPS.

I understand that in order to use Let’s Encrypt (and not pay for an SSL certificate), I have to have a domain name associated to my instance IP since Let’s Encrypt doesn’t provide certificates for public IPs. As this is my back-end API (and not just a website), I don’t intend to buy a domain specifically for this.

  1. Can I, somehow, associate my Lightsail IP with another domain that I’ve already purchased (and is used to host my company’s landing page)? If yes, will there be any impact on my API’s performance?

  2. Is there any other alternative to obtain an SSL? (Apart from paying another CA to issue this for my public IP?)

Go to Source
Author: kingJulian

Is it safe to embed a google form on a website without an SSL Certificate?

I designed a Google Form for a website which does not have an SSL Certificate. I have planned to embed it onto a page using an iframe tag. I am currently testing it and have published a test page with the form, but when I fill out any of the fields Google Chrome says that the page is,

Not Secure

but it is in red unlike the normal grey.

The form is not asking for any information such as credit card numbers, but it is asking for name, email, and some other information.

Is this safe to embed the Google Form or does the site need an SSL Cerficicate?

Go to Source
Author: Vtex

How should I sign a CSR using a signature created in HSM, in C# .NET Core?

I’m exhausted after looking for an answer for 3 days. I don’t know if my suggested flow is wrong or my Google skills have really deteriorated.

My API needs to create a valid certificate from a CSR it received, by signing it with a private key that exists ONLY inside an HSM-like service (Azure KeyVault), which unfortunately doesn’t offer Certificate Authority functions BUT does offer signing data with a key that exists there. My CA certificate’s private key is stored in the HSM. I’m using ECDSA.

My suggested flow:

  1. Client generates Key Pair + CSR and sends CSR to API
  2. API creates a certificate from the CSR
  3. API asks HSM to sign the CSR data and receives back a signature
  4. API appends the signature to the certificate and returns a signed (and including CA in chain) certificate to the Client

Flow

I’m using C# .NET Core and would like to keep it cross-platform (as it runs in Linux containers), so I have to keep it as native as possible or using Bouncy Castle (which I’m still not sure if runs in Linux .NET Core).

I really appreciate your help!

Go to Source
Author: NOP-MOV

BREACH attack in HTTPS

Ref: http://www.breachattack.com/

This attack is old and works against HTTP compression like gzip.
This is possible when an attacker can find a secret in HTTP response when the server accepts a query parameter and reflect back in response, and calculating gzip size.

But, how can the attacker calculate the size? Can domain a.com raise a request to b.com and measure the size of gzip response when same origin policy is in place?

If the attacker has to calculate the gzip size by doing MITM, then the TLS in HTTPS will prevent that. What am I missing here?

Go to Source
Author: Arul Anand M