Web Push - Do they use public servers like google etc? - web-push

As I understand Web Push, the messages are transferred over a public server like googleapi, mozilla or whatever. Is this correct?
So I can't use this functionality in a private network with a private server without access to the public network? (How can this function be used in a private environment?)

Yes, Web Push uses a public server to deliver push notifications. This is done to use just one connection to receive push notifications from multiple websites.
From Firefox documentation:
What information does Firefox use to provide Web Push?
Firefox maintains an active connection to a push service in order to receive push messages as long as it is open. The connection ends when Firefox is closed. On our server we store a randomized identifier for your browser, along with a randomized identifier for each site you authorize.
On Firefox for desktop, the push service is operated by Mozilla. Firefox for Android uses a combination of the Mozilla Web Push service and Google’s Cloud Messaging platform to deliver notifications to Firefox for Android.
In both cases, push messages are encrypted per the IETF spec and only your copy of Firefox can decipher them. The encrypted messages are stored on the server until they are delivered or expire.
Similarly, Chrome receives push notification via Google servers. If these servers are inaccessible, Web Push won't work.
One possible way to use Web Push in an isolated network is to set up your own push server. The code of Mozilla push server is available online, so with some luck you may be able to make it work in your network. Then you'll have to configure all Firefox instances to use your server (the preference is named dom.push.serverURL). I don't know if anything similar is possible with Chrome.
You may also use Notifications API to show notifications without using Web Push. This only works while the user has your website open, however.

Simple Answer: You can use it in private networks. Google/Mozilla/... is only involved, if the Website author designed it to like so. It's not required.

Related

How can client know the changing from server side?

In Node. How I can push a notify to the clients with new information that another client made changing to server, even client is offline and online back.
Ex: I logged on my account to 3 device, 1 on my laptop, 1 on my PC, 1 on my mobile. On my laptop, I change the account’s information but I leaved the browser on my PC. When server send a notify to all clients, the online devices can receive the new information, without offline device. I want when I back access to my PC, I can detect the change from server without HTTP request.
You are looking for websockets.
https://developer.mozilla.org/en-US/docs/Web/API/WebSocket

Use Electron-App (displaying an online Website) as a secure proxy to the local network

I've build a Web-App that is displayed in an Electron-App with Nativefier. That already works great, but now i need to send requests from the website to the local network to talk with some local devices which are (with it's ip-address) configured in the Web-App.
I had the idea to use the Electron-App as a "proxy" to the local network by using a javascript callback from the Website to the Electron-App (don't know if this is possible, just an idea), which then makes the local request because it's running on a computer in the same network.
The reason for this post is that i need ideas/tips to secure this and prevent allowing to talk to other than the desired Web-App (available under a certain domain) by developing something protective like checking or validating the Server, validating the request by sending it's hash back to the server or other methods.
So my questions are: is it generally a good idea to do something like this or is this a huge security problem and have anyone any tips to secure the communication and only allowing the communication to in the web-app configured devices in the local network?

why webRTC work by local Lan but not in Internet?

I create a webrtc sample based On this tutorial. this work on my local network fine and I can send and receive signal and videos. but when I connect from internet ti the server and two peer are not in same network video connection does not create.
I am using self sign Certificate and must add them two browsers.
there is no error or exception. my signaling server is a web socket server written in nodejs.
Original Answer
I believe that you require a HTTPS (SSL certificate) if you are using Chrome +47 to be deployed online, but is not required if serving from a local machine on the same network.
According to caniuse; Edge and Firefox may yield non blocking results (but prefix with moz):http://caniuse.com/#feat=stream
The issue isn't necessarily WebRTC but getUserMedia/Stream API isn't provided when the called from a non-secure site (or non-localhost address).
Attached Image:
(https://developers.google.com/web/updates/2015/10/chrome-47-webrtc)
Update:
Did a bit more digging around, and the following answer is related to the question getUserMedia() in chrome 47 without using https i.e. possible duplicate;
You "can" launch a Chrome browser to accept the insecure origin; however, that's temp. fix, whereas you'd probably want to get a certificate.
chrome.exe --user-data-dir=/test/only/profile/dir --unsafely-treat-insecure-origin-as-secure="http://example.com"

How does a server verify a client in a mulitplayer game?

So tons of games are run via custom clients (call it game.exe) but must communicate to a server. How does the developer ensure that only connections from the custom client are accepted and not any other requests, say from a web browser?
Ex: I play game.exe and my requests go thought no problem. I then submit a request to that game server using my web browser or some other POST utility, but it is ignored by the game server to prevent cheating.
Is this done via secret strings that are coded into game.exe and sent with every request? It seems to vulnerable to intercept them with a packet sniffer. Same applies with a client-side SSL certificate, someone could easily find the key file in the game files and forge requests.
Typically games that are stand alone applications - with a .exe extension on Windows, for example - do not use http as their protocols, unlike web browsers.
Irrespective of the protocol used, however, games typically send credentials - often account credentials, similar to a user name and password - when the connection is established. Many games uses a persistent TCP connection, so this only had to be done when logging in to the game.

Find out private ip when using node / socket.io?

Currently my socket.io chat app only allows 1 user per ip, which means if two people in the same house or net want to use the chat, only one of them will be able to.
Is there a way to find out what private ip a user has, besides it's public ip which i already know?
Assuming your chat app is Javascript that runs in a browser, then "No", there is no way for your server to know what the private IP address is of the end-user. If your chat app was a native app, then your native chat app could fetch the local private IP address and send it to the server. But, that can't be done from a browse without native code plug-ins.
The browser does not provide a way for Javascript to obtain the private IP address so there is no way for your chat app to send it to your server. And, there is certainly no way for the server to know the private IP address all by itself.
You can use cookies to detect multiple chat windows in the same browser open at once (cookie the first connection, then look for any other incoming connections with the same cookie). But, you cannot prevent multiple browsers using that scheme.
The usual way to deal with this is to require an account and login to that account and enforce only one login per account at a time and to require unique email addresses or even verified credit card numbers per account to discourage people making lots of accounts. Of course, there are still ways around this too (multiple email boxes or multiple credit cards), but it's enough of an obstacle to stop many and prevent large scale abuse. In general, you should design your service so if someone does this, it frankly isn't a problem.

Resources