2

I'm trying to plan a demonstration for my young students about SSL/TLS and how HTTPS works. Is there any tool around to help my purpose?

The students will be adults who know nothing about Internet Security. Therefore I'm not looking for a deep academic approach to the subject but a general touch of it covering such aspects as, what it is, how it works and why it is important. Instead of just talking and presenting it to them, I would like to know if I could also use a tool or something to demonstrate practically its use.

Anders
  • 65,052
  • 24
  • 180
  • 218
Rodotheos
  • 21
  • 1
  • What about keep the SSL/TLS separate to the HTTP part? Simulate sending simple plain text messages around encrypted with openssl/libressl. Stick to one concept at a time. It's not false to say that HTML is just plain text messages which have been formatted in a certain way, so don't get hung up about the exact format. – cryptarch Nov 07 '18 at 07:49
  • What resources will you have for the "tools" you are looking for? Will you, for example, be able to run scripts, show wireshark in action, etc, or are you limited to showing them some diagrams, animations, videos etc? How much time will you be spending on the topic? What is the learning purpose of your audience -- why are they interested in learning about this, and how will they use the information they take from your demonstration? – Johnny Nov 07 '18 at 08:14
  • We have access on a computer lab, where yes we could run scripts, use wireshark, even Kali Linux. For this practical demonstration we plan to spend maximum 30 to 45 minutes. The purpose of the seminar is to keep aware the local community about cyber security issues. The students will be mainly business people - employees or anybody interested on the topic. – Rodotheos Nov 07 '18 at 08:49

4 Answers4

7

Do what amounts to be a "magic trick". Set up:

  • a web server with a basic login page and a file upload feature
  • a client machine with a web browser for a student to use
  • a sniffing machine

Get the user to log in with any username and a fake password, make a Word file (or similar) with a message and upload it.

Use the sniffing machine to discover the password and save the Word file and read the message. All of this is scriptable on the sniffing machine.

Then you explain the magic trick, show them the password string in the capture, then turn on TLS and show them the encrypted text.

schroeder
  • 125,553
  • 55
  • 289
  • 326
2

I used the e-mail system for that purpose.

If there's an e-mail server/system that you can use with both port 25 and TLS port, then all you need is a network traffic capture tool like Wireshark.

When a user will use the e-mail client to send/receive e-mails, it will have to 1st log into the server. Without TLS, you will be able to see its password in plain text. With it, you will not. You will see encrypted content.

Overmind
  • 8,829
  • 3
  • 19
  • 28
-1

I will use basically two tools for that, the first one will be make a very easy python script with the module requests that do a basic HTTP request to a know server and capture the traffic. The students will see what goes over the wire, after that I will change the HTTP request to HTTPS and capture the traffic also so they can see the differences and you can introduce TLS and so on.

camp0
  • 2,182
  • 1
  • 11
  • 10
  • 3
    Wouldn't you just use a browser to perform the request? That makes it recognizable for the students. – Sjoerd Nov 07 '18 at 08:54
-1

There's obviously tons and tons of resources out there for this sort of thing, and a lot of them are probably what you're looking for. Depending on the types of content you need, I'd recommend you check out 2 things in specific:

As @zaph pointed out, the HTTPS comic does get some information wrong about how browsers present the existence of an HTTPS connection. See their comment for details. The whole comic isn't useless obviously, but I would definitely be sure to correct that at some point in your presentation.

schroeder
  • 125,553
  • 55
  • 289
  • 326
securityOrange
  • 921
  • 5
  • 12
  • 1
    Interesting comic, too bad it makes the mistake about the padlock icon being green means it is secure. The comic site is HTTPS and the padlock is not green. The color is also browser specific, Safari, Firefox and Chrome differ for https://www.nytimes.com. The green means extended certificate owner validation, the comic will give the impression that most HTTPS sites are not secure. – zaph Nov 07 '18 at 15:12
  • Yeah, agreed. That's a good callout @zaph. Even still, in my opinion, the proper caveat it provides some good information for people just learning about browser security, but you're definitely right that it isn't completely accurate. – securityOrange Nov 07 '18 at 15:23
  • 1
    The OP stated the desire for a demonstration. – schroeder Nov 07 '18 at 15:33