Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature Request: Support for TLS #236

Closed
t3chn0m4g3 opened this issue Feb 21, 2020 · 12 comments
Closed

Feature Request: Support for TLS #236

t3chn0m4g3 opened this issue Feb 21, 2020 · 12 comments

Comments

@t3chn0m4g3
Copy link
Contributor

Most websites are running on TLS today which attackers will most likely to focus on. Would be great if Snare had the option of using TLS.

@glaslos
Copy link
Member

glaslos commented Mar 19, 2020

@t3chn0m4g3 why not run a proxy like caddy with TLS and auto-renew in front of your SNARE instances? I would prefer to keep the SNARE complexity low.

@t3chn0m4g3
Copy link
Contributor Author

@glaslos Thanks for your feedback. Yes this is possible of course, however if you look here you will hopefully agree that introducing Caddy (which is great) will only introduce another point of failure and increase complexity with regard to analyzing logs / events in just one place.
However I cannot really assess how complex TLS implementation into SNARE would look like. Please give it some thought, will trust your opinion on this.

@glaslos
Copy link
Member

glaslos commented Mar 19, 2020

it kind of depends on how we want to implement #36 If SNARE does multi site, then we could also do TLS in SNARE, if we recommend with one SNARE instance per site, then it would make more sense to also do TLS in the proxy doing the vhost.

@t3chn0m4g3
Copy link
Contributor Author

Thanks for the feedback. Is #36 part of GSoC 2020?

@glaslos
Copy link
Member

glaslos commented Mar 23, 2020

Probably, @afeena is quite open and will plan the features with the student.

@afeena
Copy link
Collaborator

afeena commented Mar 23, 2020

I think it might be a good task to work on :) I am definitely up for spending some time on it

@t3chn0m4g3
Copy link
Contributor Author

Sounds great :) Thx.

@Parth1811
Copy link
Contributor

@t3chn0m4g3 @glaslos I am planning to include this in my GSoC proposal, I was thinking of adding TLS without doing the multi-site support. I wanted to know what problems I will run into, and what approach will you recommend to take.

@glaslos
Copy link
Member

glaslos commented Mar 30, 2020

Generally any site will need a separate certificate, so I think you are fine with suggesting this for a single domain approach. Would be nice if you would add some thoughts on how to scale to multiple sites.
I'd like to see a solution where certificate renewal is taken care of automatically. Check out how this works for Let's Encrypt.

@t3chn0m4g3
Copy link
Contributor Author

@glaslos @Parth1811 I do not think every site needs its own cert since Let's Encrypt supports wildcard certificates with certbot 0.22.0.
However there is a number of users running their honeypot on DSL with dynamically assigned IP / DDNS which will not allow for official certs. At least out of the box there should also be support for a selfsigned cert. While Let's Encrypt supports localhost certs which would be OK for that I could not find support for wildcards in that regard.

@Parth1811
Copy link
Contributor

@t3chn0m4g3 @glaslos Regarding wildcard certificates, Let's Encrypt only supports in ACMEv2 for which you have to get validated using the DNS-01 challenge which would be difficult with dynamic IP/DDNS.
For the localhost what is understood is we have to generate a private key and self-signed certificate and configure the locally trusted roots.

So my plan of action would be to provide two methods of certificate generation:-

  1. Locally for the localhost and local networks
  2. Using Let's Encrypt for deployment servers

Also, I think each site will need a different certificate. We can do a certificate management task at the beginning of each SNARE instance for different sites. Correct me if I got something wrong :)

@glaslos
Copy link
Member

glaslos commented Mar 30, 2020

Yeah, wildcards only solves the problem only for subdomains, I'm usually setting up multiple FQDN. Do some research on how difficult this is in Python and let me know what you find.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants