Simple TLS/SSL nodejs server example

What is TLS?

Transport Layer Security (or TSL) is the successor to Secure Sockets Layer (or SSL). It, along with SSL, are the de-facto standard cryptographic protocols for secure communications over the web. TSL encrypts communications on top of a network transport layer (typically tcp), and uses public-key cryptography to encrypt messages.

Public-Key Cryptography

In public-key cryptography, each peer has two keys: A public key, and a private key. The public key is shared with everyone, and the private key is (naturally) kept secret. In order to encrypt a message, a computer requires its private key and the recipient's public key. Then, in order to decrypt the message, the recipient requires its own private key and the sender's public key.

In TLS connections, the public key is called a certificate. This is because it's "signed" to prove that the public key belongs to its owner. TLS certificates may either be signed by a third-party certificate authority (CA), or they may be self-signed. In the case of Certificate Authorities, Mozilla keeps a list of trusted root CAs that are generally agreed upon by most web browsers. These root CAs may then issue certificates to other signing authorities, which in turn sign certificates for the general public.

History of TLS/SSL Support in Node.JS

TLS support in node is relatively new. The first stable version of node.js to support TSL and HTTPS was the v0.4 branch, which was released in early 2011. Since then, the primary focus of the core developers has shifted from TLS/HTTPS to Windows support in the v0.5 branch. As such, the TSL APIs in node are still a little rough around the edges, and documentation leaves something to be desired.

read more

Linux has plenty of powerful encryption software, but what can you use if you just want to secure a couple files quickly? The OpenSSL toolkit works well for this. It comes installed with Ubuntu and can provide stronger encryption than you would ever need.

This is the basic command to encrypt a file:

openssl aes-256-cbc -a -salt -in secrets.txt -out secrets.txt.enc

How does this work?

• openssl is the command for the OpenSSL toolkit.
• aes-256-cbc is the encryption cipher to be used. (256bit AES is what the United States government uses to encrypt information at the Top Secret level.)
• -a means that the encrypted output will be base64 encoded, this allows you to view it in a text editor or paste it in an email. This is optional.
• -salt adds strength to the encryption and should always be used.
• -in secrets.txt specifies the input file.
• -out secrets.txt.enc specifies the output file.
• You will be prompted for a password.

It’s not much use unless you can decrypted it:

openssl aes-256-cbc -d -a -in secrets.txt.enc -out secrets.txt.new

• -d decrypts data.
• -a tells OpenSSL that the encrypted data is in base64.
• -in secrets.txt.enc specifies the data to decrypt.
• -out secrets.txt.new specifies the file to put the decrypted data in.

But this does not make use of the public key infrastructure at all, so a bit like hammering in a nail with a screwdriver :-)

I recently decided that I wanted to lengthen the session lifetime on one of my web applications so that my users wouldn’t need to log in as frequently. However, I wanted to keep a shorter session time for the administration part of my site to keep it more secure.

Setting custom cookie lifetime:

ini_set('session.cookie_lifetime', 86400);
ini_set('session.gc_maxlifetime', 86400);
session_start();

params explanation

Defining the duration of your user’s session is something that you definitely want to consider from the outset of your development. It can affect key aspects of your application’s success, like usability and security. For example, a long browser session may increase usability, but it also means that if your user does not explicitly log out to clear the cookie for your site, then another user could come along and access the first user’s data. One way to avoid this would be to design your application so that users may access some basic features for a long time, but must re-authenticate to access more secure features like account settings. Another strategy could be to set individual session lifetimes for different areas on your site.

Setting custom cookie directory:

ini_set('session.save_path', '/admin/data/tmp/session');
ini_set('session.cookie_lifetime', 1200);
ini_set('session.gc_maxlifetime', 1200);
session_start();

Simple Explanation

• session.gc_maxlifetime - max timeout value for user inactivity, each time the user clicks a link he restarts the timeout.
• session.cookie_lifetime - the absolute maximum a session will live, if set to 0 we add a session in the users browser, if set to a different value we set a cookie to the users browser.

read more

stackoverflow
stackexchange
debian/ubuntu

Using OpenSSH on a Linux/Unix system you can tunnel all of the traffic from your local box to a remote box that you have an account on.

ssh user@personal-server.com -L 2000:personal-server.com:25

ssh-tunnel

Wrong way:

function myFunc(requiredArg, optionalArg){
    optionalArg = optionalArg || 'defaultValue';
    //do stuff
}

the logic fails if optionalArg is passed, but evaluates as false - use this as an alternative:

optionalArg = (typeof optionalArg === "undefined") ? "defaultValue" : optionalArg;

stackoverflow