KB SSL Enforcer is a Google Chrome extension that allows you to enforce SSL encryption on websites and services that support it. If it detects that a site is offering both http and https connections, it will automatically connect the user to the more secure https connection to improve online security.

The extension handles the detection and switching to SSL automatically. The concept is very similar to HTTPS Everywhere for the Firefox web browser, with the difference that HTTPS Everywhere only enforces SSL on sites in its database (with options to create your own rule sets).

The extension maintains a list of sites supporting SSL that you have accessed in the cache to speed up future connections.

You may however come upon sites sometimes that do not work properly when connecting to them via https. A blacklist is provided that will block the automatic redirection to https for listed sites. Open the settings of SSL Enforcer by loading the following url in the web browser (chrome://settings/extensions) and clicking on the Options link next to the extension.

The extension handles domains with and without www differently. You can change that in the options so that rules defined for a site apply to both versions.

You can also add sites to a whitelist, which you may need to do if the automatic detection does not discover if a domain supports SSL connections.

Google Chrome users can download SSL Enforcer from the official Chrome web store.

But setting up a secure web server isn’t complete without the inclusion of SSL and certificates. If you are wanting to serve up sercure web pages you will certainly want your audience to be able to send them to https instead of http. So…with CentOS how do you do that? I will show you how.

Installing all of the packages

I will assume you already have CentOS installed as well as the Apache Web Server. Make sure you are able to go to the default Apache web page (or any web page on your CentOS web server), before you set up SSL. When you have all of that working you will need to install a couple of packages. This is done with the following steps:

1. Open up a terminal window.
2. Su to the root user.
3. Issue the command yum install mod_ssl openssl.
4. Let the installation complete.

With SSL installed and ready, it’s time to create your certificates for usage.

Creating your certificate

You will now have everything on your server to create CAs. You need to generate a private key, a csr, a self-signed key, and then you need to copy these files to the correct location. This is done with the following steps.

1. Open up a terminal window.
2. Su to the root user.
3. Generate the private key with the command openssl genrsa -out ca.key 1024.
4. Generate the csr with the command openssl req -new -key ca.key -out ca.csr.
5. Generate the self-signed key with the command openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt.
6. Move the self-signed key with the command cp ca.crt /etc/pki/tls/certs.
7. Move the private key with the command cp ca.key /etc/pki/tls/private/ca.key.
8. Move the csr with the command cp ca.csr /etc/pki/tls/private/ca.csr.

Edit the Apache SSL configuration

Open the file /etc/httpd/conf.d/ssl.conf and look for the section SSLCertificateFile. Make sure that line reads:

SSLCertificateFile /etc/pki/tls/certs/ca.crt

Now look for the SSLCertificateKeyFile and make sure that section reads:

SSLCertificateKeyFile /etc/pki/tls/private/ca.key

Save that file and you are ready to restart Apache.

Restart and test

Before you try to test Apache’s new SSL feature, you must restart the daemon. To do this issue the command /etc/rc.d/init.d/httpd restart. Hopefully you will see no warnings or errors. If not, then point your browser to https://ADDRESS_TO_SERVER Where ADDRESS_TO_SERVER is either the IP Address or the domain. You should then see a warning from your browser about the certificate for the site. If you see this warning congratulations, your Apache server is now ready for secure connections.

Remember, though, you created a self-signed certificate. To get the most out of SSL you might want to purchase a CA from a trusted name like Verisign (There are, of course, plenty of other places where you can purchase those certifiacates).

Https sites are widely known in the financial sector, on shopping sites and during log ins.The session-wide encryption ensures that information entered in a session is safe from being intercepted by another user in the computer network.

Internet users can verify that the connection uses SSL by looking at the url in the address bar. The connection is secure if it begins with https. Google has created a new logo to further inform users. The Google SSL logo is another visual indicator that SSL is used to connect to Google.

In this stage SSL is only enabled for Google web search and not for other services offered by Google such as Google Maps or Google Images.

Users might also experience a slower than regular Google search experience due to the additional step of establishing a secure connection.

It has to be noted that SSL does not provide complete security. A user connecting to Google https can be sure that the traffic (like search phrases) will be encrypted while on the Google website. Most search results on the other hand make no use of https which means that it can still be possible (for an ISP or network user) to identify the target websites.

SSL will also not aid if viruses or trojans are installed on the user’s computer system.

SSL search is nevertheless a step in the right direction. It is likely that Google will roll out encryption to some of their other services in the near future.

This in theory ensures that the connection between the user’s computer and the website is secure (by using encryption and certificates). Recent findings however have shown that it is possible to intercept those communications without breaking encryption by “using forged security certificates”.

To use [it], a law enforcement or intelligence agency would have to install it inside an ISP, and persuade one of the Certificate Authorities — using money, blackmail or legal process — to issue a fake certificate for the targeted website. Then they could capture your username and password, and be able to see whatever transactions you make online.

To make matters worse security researchers have shown last year how easy it is to trick a Certificate Authority into issuing a certificate.

Perspectives now is a Firefox add-on that can do things:

• If you connect to a website with an untrusted (e.g.,self-signed certificate)*, Firefox will give you a very nasty security error and force you to manually install an exception. Perspectives can detect whether a self-signed certificate is valid, and automatically overrides the annoying security error page if it is safe to do so.
• It is possible that an attacker may trick one of the many Certificate Authorities trusted by Firefox into incorrectly issuing a certificate for a trusted website. Perspectives can also detect this attack and will warn you if things look suspicious.

Even if Perspective’s primary and most advertised aim is enabling SSH-style certificate “validation” for self-signed certificates (those not issued by an established certification authority), it can be configured to act a second validation layer for CA-signed certificates too, by checking their consistency from multiple internet nodes (called “Notaries”) and/or over time:

Perspectives can be downloaded from the School of Computer Science. It is compatible with Firefox 3.x.

The second issue that the Internet Recovery Kit addresses is broken SSL support which usually comes in the form of not being able to connect to HTTPS websites properly. This too can be problematic as many financial websites and shopping websites use https for improved security.

Rizone’s Internet Recovery Kit can be used to fix both issues that have been described in the last two paragraphs. All the user needs to do is to press the right button in the software program to initiate the fix. While there is no guarantee that the program can fix the problem the chance is good that it can.

Users who want to repair Windows Update and Automatic Updates on their computer system can press the Repair WU/AU button to do so. The program will display the progress in the log at the bottom of the interface. The log can also be used to analyse what has been done to fix the problem. The Repair SSL / HTTPS button on the other hand will initiate the repair of these components in the Windows operating system.

Rizone’s Internet Recovery Kit is compatible with Windows XP, Windows Vista and Windows 7. It is a fine addition for every computer repair toolkit thanks to its portable nature, ease of use and success rate.

Visualizing secure SSL connections might be exactly what users need to avoid phishing websites but also services that are careless about sensible data (that is do not use SSL to protect the connections). Safe will color all tabs that make use of a secure SSL connection so that users of every level can identify them on first glance. It will furthermore draw a visible border in the same color around the screen to make it even easier to identify a website that is using SSL to increase the security of their users.

That visualization of a secure SSL connection should be reason enough to install it. The add-on is very handy for users who feel insecure on the Internet giving them a visual confirmation if they visit a secure website.

The extension offers a second feature that seems to be a bit buggy in the current version. It will display a status bar icon that is supposed to change color when hoovering over a form submission button that is using the SSL protocol. This means it should display a yellow color when hoovering over the login button at Gmail or PayPal.

It should also be noted that the border that is drawn around the screen will reduce the screen estate for the website. This can be problematic for users that run low screen resolutions.

There is one additional problem concerning websites that do offer HTTPS connections on most of their network but not everywhere. Mouser over at Donation Coder mentioned a hidden setting in the NoScript (check my Firefox security profile for additional information) add-on of the Firefox web browser allowing to force HTTPS connections for listed websites. This is helpful in a few cases. Some websites offer both HTTP and HTTPS connections to their servers. Another possibility are websites that make use of HTTPS connections but not on all pages.

Users with the excellent No Script add-on installed can configure sites to always use a secure https connection when they are visited. This option can be accessed by right-clicking the NoScript icon in the Firefox status bar, selecting Options from the context menu, clicking on the Advanced tab in the configuration and there on the HTTPS tab.

New websites or pages that should be forced to use secure HTTPS connections can be added to NoScript in there. The use of wildcards is possible. Users should however note that this will not work on all websites. It will obviously not work on websites that do not offer HTTPS. There are also sites that automatically redirect HTTPS requests to HTTP. Google.com is a prime example of this. If you add google.com to the list you will notice a never ending loop when opening that website because of NoScript trying to force HTTPS and Google redirecting to HTTP.

Why would someone want to force SSL in the web browser? The answer is easy: To increase security. This is an excellent way to deal with most phishing threats. Phishing sites are currently copying the looks and feels of popular financial sites. What they do not do is to make use of the https protocol. This means that those phishing pages would not even be opened in Google Chrome as they are not making use of https.

Here is the idea. Create a Google Chrome profile that forces SSL and that is purely used for accessing sensitive sites. This could be PayPal, Gmail, other financial sites and basically any site that is making use of the https protocol.

The ability to force SSL is only available in the latest developer’s build of Google Chrome. Read the Google Chrome 2 release announcement article for information on how to obtain a copy.

The force SSL option has to be supplied as a parameter during startup. This can be done by appending –force-https to the Target row in the shortcut’s properties.

Does anyone know if there is a similar option for Firefox or Opera?