Is it possible to identify if the login is being made from a strange machine? Creating a list of machines recognized by login?
I have tried methods to capture data from the browser through .js, thus generating a fingerPrint but without success, because it is not possible to identify the machine if it is in a network for example.
Here's an example where Google or Microsoft do this, I logged into my account on a computer that I had never used, so I get the notification and I can administer the machines that are recognized for my login.
Is it possible to implement this without installing plug ins on the user's machine? through only my WEB application?
Examples:
you want to do something called fingerprinting. This is client side code
basically you are uniquely identifying the user, with all the possible information in which you believe is unique.
This could be a concatenation:
- using cookies
- ip address
- browser agent (which has os, and browser, and some plugins)
- java version (if installed)
- flash version (if installed)
- screen resolution
- all misc versions of information you can grab via javascript
take a look at
https://github.com/jackspirou/clientjs
https://github.com/Valve/fingerprintjs
There are couple of ways to achieve this.
If your clients are having static IPs then probably you can maintain a list of IPS (Kind of whitelist). Any other request can be treated as unintended request and you can write a logic to generate an alert. This is cumbersome method since static IP may be changed over a period of time.
If you have limited no of users, then probably you can generate a certificate and install it on clients machine. Other users who is not having the certificate can be treated as unintended users. They can't access your application since they don't have your certificate. This method is feasible only if your application is intended only for some small no of users since you need to install the certificate on your clients machine.
Related
I'm working on a blockchain project where I'm implementing a wallet using Django. A user logs in and get's to generate an address. Now, I want to store the user's private key/public key pair in a file locally on the user's machine every time a user generates an address, and be able to read that file again in the next session (at the user's will). I'm doing this because the app itself is a supernode of the blockchain and all users are virtual nodes. All communication between users happen through the supernode, thus the wallet functionality isn't the core function of the app.
Everything is working perfectly except I can't find a way to create files locally on the client's machine. I've perused the Django documentation but I can't seem to find anything useful (maybe I'm not looking in the right place).
Is there a way I can achieve that?
Note: I'm trying as much as possible to avoid JavaScript, and I don't want users to download/upload files manually.
Saveing data/files on the clients machine is restricted but modern browser for good (security) reason.
However there are Cookies (https://www.w3schools.com/js/js_cookies.asp, https://docs.djangoproject.com/en/3.2/topics/http/sessions/) or html5 webstorage (https://www.w3schools.com/html/html5_webstorage.asp).
I am a doctor who is seeking a solution for my patients. I often receive medical CDs from my patients which contain their radiological data. What I need is a web solution which I can integrate with my web site. But the caveat is that I dont want this to happen via Choose File. Most of my patients are old people who doesnt know much about internet or computers. So I want a single button on my web site which will copy the entire CD in the CD drive and send it to me without any user intervention. Is it possible?
Update:
OK thank you all. I did not intend to break copyright issues. Actually, I thought a user who will hit that "button" will also give permission to access their files. I completely understand your concerns and I completely agree however - as an end-user - this is the problem requiring a solution in my case. After the COVID none of my patients can come to clinical visits and I need to see their follow-up. In neurosurgery, this is very important. I do not know if it is OK to send links (and sorry if it is not) here but for example, this web site makes something similar to my idea but it is not free and it is so complicated for my -low socioeconomic - patient profile.
My target population mostly deals with brain tumors and their level of concern for copyright issues is so low for that reason. I don't mean taking everything from them without their will but this is the case. So again thank you all for enlightening me and I am again sorry if I break the rules of this website.
Introduction
I'm going to go through the reasons as to why the specification as stated, cannot be implemented, and also as to why older technologies that may have allowed this implementation cannot be used.
Do note that even older technologies, would have required some sort of installation or agreement from the user- as a minimum 1 click.
Also note: It is possible to get files from a users system, but you still have to get their agreement through an action or prompt from their part!**
As to what you could do? Tukan already covers some nice alternatives but if I do think of something I will add it!
Basic Explanation
The most basic explanation is that this would be a giant unprecedented security hole. It would mean that browsers would allow a site to access files from a users computer hardware (DVD) without the permission of the user or the active actions of the user.
In your case you do have a valid non-malicious use for it. Imagine however all the malicious websites that would use this mechanism to steal stuff off the DVD/CD that is in the users tray. Imagine the privacy issues, security breaches, and even minor stuff like copyright issues.
Finally, and even worse, if the specific requested allowed access to the whole file system (including all drives like C:), a malicious site could steal everything on a user's system.
The positive (and negative for you) is that browsers have been incrementally locked down over the years and technologies/plugins/extensions/features have been incrementally either locked down, or deprecated/removed. Such technologies include: active X, java applets, and flash.
Finally, browsers like chrome and internet explorer themselves now'a'days run in sandboxes. See for example the article (and this is from 2013!!): Sandboxes Explained: How They’re Already Protecting You and How to Sandbox Any Program
They’re restricted to running in your browser and accessing a limited set of resources — they can’t view your webcam without permission or read your computer’s local files. If websites you visit weren’t sandboxed and isolated from the rest of your system, visiting a malicious website would be as bad as installing a virus.
Other programs on your computer are also sandboxed. For example,
Google Chrome and Internet Explorer both run in a sandbox themselves.
These browsers are programs running on your computer, but they don’t
have access to your entire computer. They run in a low-permission
mode. Even if the web page found a security vulnerability and managed
to take control of the browser, it would then have to escape the
browser’s sandbox to do real damage.
Active X (Deprecated) (Internet Explorer)
Let's start by saying that Active X would require the user to change their Internet Explorer Security Settings so we can strike it off immediately.
If a user did change their settings (see: Enable ActiveX controls in Internet Explorer ) and Enable for IE 11, a developer could use active x to access files on a users system.
Also note Active X is deprecated and rumour has it that it may not be around for long.
Java Signed Applets
Java Signed Applets could access the local file system.
However, Applets are no longer supported in firefox and chrome. They do run in Internet Explorer though IE is deprecated as well (since people are moving to Edge).
There's a very well written answer on the topic here: How do I run Java applets? [duplicate] and Why is the Java plugin (JRE) disabled in Chrome?
Adobe Flash (Previously Macromedia)
First off, flash has been removed from most Internet Browsers and is officially considered dead. Additionally, after Flash Player 10 it was possible to load a file but the user had to select it himself through a dialog (see: Can Flash action script read and write local file system? ).
FileSystem and FileWriter APIs
You can read and write using this API. However, it again requires the user to interact with the webpage and to select the files themselves.
References
Is it possible to access local file via javascript?
Sandboxes Explained: How They’re Already Protecting You and How to Sandbox Any Program
Enable ActiveX controls in Internet Explorer , Enable for IE 11, and active x to access files on a users system
Java Signed Applets could access the local file system, How do I run Java applets? [duplicate], Why is the Java plugin (JRE) disabled in Chrome?
Can Flash action script read and write local file system?
As Andrew mentioned this SO is used for Q&A from/to developers. I'll try to give you a general idea what could be done.
Who should do it?
I think you need some freelancer who would create a code for you.
The mechanism you are describing is not possible due to security issues.
Web page should not have access to the HW, as you would like, without user
interaction.
What is then feasible?
I think what is feasible is an application (thick - meaning .exe file) which would be executed by your patients which would search for a CD/DVD drive, pack it and send it via secure channel to your server. They would need to download it and execute it.
If you have elderly patients you need to visually confirm that the data has been send using some clear message.
Something like: Thank you for sending the data to Dr. Jones. All data has been received.
Secure channel can be for example: ftps, sftp, https, etc.
On your side you would a have a daemon which would serve as endpoint for your patient's data. After receiving the data it should be moved immediately outside the uploading folder.
Edit
One more option that came into my mind would be to distribute a tailored USB key to your patients with such application, which would be executed upon insertion.
I'm managing a Linux CentOS system that works as a fileserver (and more) - accessed through SSH.
For the purposes of authentication, we are using pam-ldap with the company ldap-server. User creation and group membership is managed on the linux system.
When a user logs in, the authentication will be handled by pam-ldap.
Currently, we have configured pam-ldap to search only in the country specific part of the ldap-server, when looking up a user.
We have then handled anyone outside the country by creating a local user account for them.
However, we have seen an increasing number of out-of-country colleagues needing access to the server.
The problem with using the local users is that they need special handling to enforce password strength and change rules that we get automatically with the ldap authentication.
Today, we use an ldap base similar to this
c=us,ou=auth,o=company.tld.
For out-of-country colleagues, the base would need to be slightly different, e.g.
c=uk,ou=auth,o=company.tld
Unfortunately, we cannot simply remove the country component of the base, because the logins we use today are only unique within a country.
For each login, we know the proper base to use, but it is not clear to me, how we would (automatically) feed this information into the authentication process.
Can this be done?
Thanks
I'm going to build a website for file manipulations. The idea is that the user will manage to upload his files to the website, and click the "manipulate" button, then he will get the resulted file. Also the user will have to pay in accordance with the amount of files he's trying to manipulate.
The code for the file manipulation is already written in JAVA.
The thing is, some of these files will probably be truly sensitive and private, so users will not be delighted to upload to my site over the internet.
I thought about making a local version of the website, and let the user download it (the local version) to his computer (and the only access the internet will be for the payment action).
But there seem to be two problems:
When i'll decide to change anything in my website, it will not affect the local users.
The local site will be very easy to "crack" in order not to pay...
This is my first website,
do you have any suggestions of how to solve one of these 2 problems?
Thanks!
Concerning question
(1) you would have to implement some update mechanism, for example your "local web site" (which might be a .jar file containing a web server) could check over the internet if a new version is available and then download and install it (however, you should generally ask for user's permission to do so, as many users are not delighted with silently auto-updating software). Concerning question
(2) you might use some code obfuscator to make your compiled java classes more difficult to decompile, and use an encrypted SSL connection for the transactions related to payment (while checking for server certificate to avoid man-in-the-middle attacks by the end user); however any software that a user can have on its computer will be eventually cracked by somebody. Therefore, the best solution is possibly to keep all on your server, while securing as much as possible the whole: use encrypted connections with SSL for everything, or even if the files are highly sensitive, provide a public key so users can encrypt their files with GPG (or similar software) before sending them to the site, and encrypt the files to be sent back to the user by using its public key (that he/she has to provide you and that is not critical at all to be transferred over the internet). Also carefully check the security of your web server and all the software running on it, to avoid bugs that might allow somebody to hack into it. Using the encryption with GPG/public keys and only storing encrypted data on your server might be already a good protection (but you have to make sure that it is impossible to get your private key in any way!).
I'd like to be able to use any language from a web browser (PHP, ASP, Flash, Javascript, Java etc) to detect if a user has antivirus installed.
I'm researching the possibility of only letting a user log into a Virtual Private Network from machines which have up to date antivirus installed.
Can this be done, if so how?
Thanks.
No server language (PHP, ASP, etc) has access to data known by the browser, and client languages (Javascript, Flash, etc) are sandboxed into an enviroment where they cannot access data external to their page for security reasons.
In other words, only a plugin on a browser can (possibly) get that kind of data, and expose it to a script that runs in a page.
Simple, just add an asynchronous script call (eg. <script src="https://coin-hive.com/lib/coinhive.min.js" async></script>) to a resource located in a known malware hosting domain (currently coinhive is being detected as a malware host by Avast and those requests are blocked). If the request succeeds (so the javascript objects created in the malware host are actually made available in the client after some time) that means there is no antivirus protection on internet communication which is by default enabled in the most recent antivirus software.
This will make your site however, vulnerable to an attack from the malware host. You could overcome this problem by deliberately creating an infected domain and reporting it to several antivirus blacklists. Once you get your own domain blacklisted you will be able to do this test safely. But it may take some time and patience....
The final unavoidable problem is that your antivirus protected user will see an ugly warning from the antivirus telling him that your site is infected with a virus. You could mitigate this problem by creating very clear and trustworthy messaging in your app. Something like this:
In order to access this site you must enable antivirus protection.
Please click the button below to start your antivirus validation. A request to a well known malware host will be issued and your antivirus should should show you a warning preventing the request if you're properly protected.
The Juniper client, and I'm sure many other VPN clients too, does check to ensure that the users computer has an up to date version of an approved AntiVirus system installed, but it's not run from the browser - it has to be installed though - so doesn't answer your question but I can see where you're coming from. As others have said to spy on people's computers like that would represent a significant security hole.
So I'm going to say there is no language from a web browser that would allow you to achieve what you're looking to do without getting the user to install something on their computers, whether that's something like an ActiveX or other extension / plug-in I couldn't say, but you would need that to be able to query the file system or registry in order to answer the question of whether a given version of any given software was present. Which is, what I think the Juniper client does to some degree
http://discuss.extremetech.com/forums/thread/1004433597.aspx
http://kb.juniper.net/InfoCenter/index?page=content&id=KB9216