I have a web application that will be used by customers in intranets. It uses features that require a secure context, such as getUserMedia. What is the best practice for this these days?
Customers will have little technical knowledge and the app may be used by people just passing by, so creating and installing a certificate authority on the browsers is too cumbersome. There is no guarantee that there will be an internet connection all the time, although it's acceptable to require it during installation. A warning message for the TLS certificate is acceptable (not ideal, but it could be explained), but self-signed certificates do not solve the problem, as they're still considered insecure contexts. I'll have no control over the intranet, and the device running the service may be accessed by IP only, without a hostname or a local DNS server.
What alternatives are there to get a secure context that are as frictionless as possible?
solution based on Chrome 88 no guarantees for earlier and later versions.
Server:
Nothing special must be accessible by IP or DNS
Client side:
Batch File that will be a shortcut on user's desktop and starts web app in chrome as an application - separate window.
the use of start "WEB APP" /MAX ... is to make sure that the cmd window of batch file will disappear as fast as possible.
#Echo off
set WEB_APP_URL=http://app.ip.or.dns
start "WEB APP" /MAX "C:\Program Files\Google\Chrome\Application\chrome.exe" --ignore-certificate-errors --unsafely-treat-insecure-origin-as-secure=%WEB_APP_URL% --allow-running-insecure-content --ignore-certificate-errors --app=%WEB_APP_URL%
if you want to have this application a totally different chrome profile
add this
set COMMON_USER_DATA_DIR=C:\\Users\\Public\\YOUR_APP\\
--user-data-dir=%COMMON_USER_DATA_DIR% --profile-directory=Default --allow-profiles-outside-user-dir
Related
1I have an app installed on my android device that shows me if the SHA256 fingerprint has been changed. It often shows that it has been altered when I run it for YouTube.com and it once showed for Instagram.com. I tried using a VPN and it didn't show afterwards.
The app basically says that it detects the SSL interception of web traffic which will decrypt an encrypted session. The test is accomplished by comparing the HTTPS certificate fingerprint of the website on your device vs the fingerprint shown on an external server.
I'm curious if it is really a concern as I do a lot of private video calls on Instagram. Are those getting recorded or anything without my knowledge?
PS: I do not have any shady app on my device.
Check the actual certificate the sites return. Certificates will expire after a while, meaning they get replaced with new versions.
Besides that, bigger sites with multiple datacenters, such as YouTube (Google) and Instagram (Facebook), might even use different certificates for different regions. This would explain why it doesn't show up while using a VPN. Also because of IP routing, special server configurations, ... you might end up connecting to different servers/regions (with different certificates) from day to day or so.
Assuming that the certificate is properly signed, valid and not revoked, you should be fine, even if the fingerprint changes. For malicious people to perform a man-in-the-middle attack with a valid SSL, they'd either need to have a valid certificate themselves (which would get revoked), access to the site's servers (which is a lost cause) or add a malicious root certificate to your device (which is a whole other problem).
The test is accomplished by comparing the HTTPS certificate
fingerprint of the website on your device vs the fingerprint shown on
an external server.
Mind that that external server might also have a different/outdated fingerprint compared to you, for any of the reasons above or others.
I'm building a React website that I want to use WebRTC to basically be able to make audio/video calls to other devices, only on my local network. Because the getUserMedia requires HTTPS, I'm running into issues whereby I basically have to bypass the SSL warnings (the "visit website anyway" buttons), which I don't want to do.
I'm using my laptop to act as the connection broker/signaling server to allow the clients to connect with each other--if I downgrade the capabilities to HTTP for text chat only, this works great--but the whole purpose is to use audio/video, so I need that SSL layer.
My question is: how do I setup the SSL layer properly so that I don't have to bypass the warnings and accept a self-signed certificate?
Strictly speaking, the self-signed certificate does work and I can do this using it, but it seems self-defeating, so it's not really the way I want to go.
Again, this is only for intranet usage, so I don't know if that makes it easier or harder, but that's my constraint.
EDIT:
The server is written in NodeJS. I've found some documentation suggesting that Node can be given additional CAs (e.g. NODE_EXTRA_CA_CERTS). Is this something that I can leverage? Would a client html page utilize this in any meaningful way?
This link seems promising: https://engineering.circle.com/https-authorized-certs-with-node-js-315e548354a2. The main thing I'm not understanding is how I would utilize that ca: fs.readFileSync('ca-crt.pem') line for a given request, as it seems like the code there is actually making the request (but one would have already been made to the server in my case, no?). https://nodejs.org/api/https.html#https_https_request_options_callback seems to indicate something similar, as well.
It is totally possible to register a domain name, and then point it at something in the Private Address Range. I do this for local development sometimes. I registered pion.io and got a wildcard cert via LetsEncrypt.
You could also use mkcert. Then either in /etc/hosts or in your router itself you can give a FQDN to your signaling/web server.
There is also the --unsafely-treat-insecure-origin-as-secure argument for Chromium, I haven't used it lately though not sure if it still works.
An existing Win2016 server with IIS10 prompts for creds on a simple website set up with Windows Authentication. A new server does not.
I have an existing Win2016 server running IIS. I set up a simple website with one .htm page that says Hello World. If I turn on Windows Authentication only, the browser continually prompts for username/password. I want Kerberos authentication only, so the Providers list contains Negotiate only. Enable Kernel-mode authentication is selected. The app pool is running as Network Service. The target browser is Chrome.
After many hours going nowhere with this problem, I decided to build a new box with the same spec. After setting up the site in the same way, I do not get prompted by the browser! Strange!
Both boxes are domain joined and seemingly have the same GPOs applied.
Can anyone advise on how I can get the first server to behave like the second? Unfortunately moving to the new box is not an option at this stage. Any help on a structured methodology for diagnosing the Kerberos exchange between server and client would be most helpful.
Thank you.
I've been asked to support 2 URLs for JMX access to our server:
A secure one (service:jmx:rmi://localhost/jndi/rmi://localhost:2020/jmxrmi)
An insecure one: (service:jmx:rmi://localhost/jndi/rmi://localhost:2020/insecure-jmxrmi)
The insecure one is primarily for demo purposes - no it won't be used during production.
I can create a custom ConnectorServer for /jmxrmi and provide an interceptor to use our security mechanism to verify credentials. If I just create a vanilla second ConnectorServer (no 'env' properties), however, using jconsole -debug to access it initially tries secure access, and puts up the dialog about that failing, then asking if I want to try it insecurely.
The docs I've read from Oracle/Sun indicate that I can disable password auth and SSL using a couple of command-line -D switches. But then does that not mess with the /jmxrmi secure access?
How do I support both secure and non-secure connections at the same time? Note that I don't need them using the same URL, of course.
Thanks!
This is a tough one. When you disable auth and SSL you do it per JVM.
The JMXRMP protocol can not distinguish between secured and non-secured connection. You either set up the security and it will be used or not. I think the best shot would be using a custom ConnectorServer and put up with the messages JConsole produces.
I configured my Jenkins server to only use HTTPS and enabled security.
As well I don't like anybody who's not logged on to see the Dashboard (even if it would be empty). Here for I disabled the 'read' access for 'anonymous'.
So far all this works exactly to my likings :)
But wanting to add some build notification functionality to remote clients by e.g. using something like 'CCtray' I run into trouble. The access to the https://<SERVER>/cc.xml now only works for logged in users.
Where I would have liked to be able to get those notifications for 'anonymous'.
Probably combining these wishes is kind of contradictory - I suppose?
Maybe someone has a better idea which could match my likings?
Possibly any other notification tool which can be used???
For the Mercurial hook triggering the sw-builds I can use a construction like
curl --cacert <CERTIFICATE> https://<USER>:<PASSWORD>#<SERVER>/job/MyPROJECT/build?delay=0sec
But a similar approach for the URL in CCtray doesn't seem to work.
I've just started using the cctray Jenkins transport extension. Early days, but it seems to work as advertised and is connecting to our secure server perfectly happily.
Currently, the only significant limitation seems to be that if your password expires there's no way to re-enter your credentials.
For Jenkins servers without anonymous access, you can use Catlight build notification tool. You can provide access token or username/password to authenticate to your server.
I you have a self-signed ssl certificate, make sure that you add it to trusted by OS. That way, most applications will recognize it and connect to server without warnings.
Adding to #MrBlueSky 's answer, you can avoid the password expiration hassle; simply use a Jenkins-issued API Token instead of your password.
Log into Jenkins
Click your username (in the upper right corner)
Click Configure (in the left navbar)
Click Show API Token
Use this token in place of your password when setting up the Jenkins Transport settings