Is it possible to spoof or impersonate a server's IP?
So that clients wanting to connect to that Server's IP, would actually connect to the attacker's machine?
But the attacker would still be able to contact the actual server.
This is all TCP/IP based, no name resolution, and all machines are on the same network or the internet (No NAT-ing).
I am working on a networking application, and I would like to build in some authentication.
What I need to do is to authenticate the server by IP. In other words, I want to make sure that when I open a HTTPS URL to an IP Address, it will go to the machine that has that IP.
Other notes:
All communication would be over TLS, but certificates would be blindly accepted.
What I need to do is to authenticate the server by IP. In other words, I want to make sure that when I open a HTTPS URL to an IP Address, it will go to the machine that has that IP.
This is one of the features of HTTPS (SSL/TLS) - it can prevent a MITM attack and prevent the destination server from being impersonated.
Other notes: All communication would be over TLS, but certificates would be blindly accepted.
This is great, however you will need to stop certificates from being blindly accepted. You should check that the common name or subject of the certificate matches the server that you are expecting to make contact with. You should also check that the root certificate is one that you choose to trust (you could make your own root certificate that is trusted). This will prevent the server certificate being spoofed by an attacker as they will not be able to sign the certificate with the root certificate.
An alternative is certificate pinning. This will enable your application to only communicate with a pre-set list of trusted certificates that are either hard coded into your application, or that are otherwise inaccessible to outsiders on your application server.
Yes, if you can perform man-in-the-middle attack. Evil transparent proxy in your LAN can do it.
Related
I have local server in my home, which runs website, which provides some service, thanks the use of PHP. Right now I'm using the HTTP protocol, which doesn't not provide security, due to the clear-text (the is a authentication service with username and password to access the protected page). I want to upgrade to HTTPS and of course I need to use the SSL. I know what is, so I know the differences between a self-certificate, and the one issued by a company. There are different kind of class. Because I don't want that my users/friends are alerted by the browser that the SSL certificate isn't trusted, I'm asking if there is some free trusted certificate for a non-domain web server (I use my static IP to let the user access the website). In case I bought a domain (it is very cheaper), can I have a free trusted certificate from someone ? Thank you.
Regarding SSL certificates for an IP address, see the linked SO thread: Is it possible to have SSL certificate for IP address, not domain name?
If you register a domain name for your site, then you can obtain a free SSL certificate from StartSSL (https://www.startssl.com/?app=1)
I have this web app that is served via https, and now it needs to use a websocket service that is served from another server. Chrome, Firefox and Internet Explorer complain right away that if the application is secure (https), then it is not allowed to connect to an insecure websocket service (ws:// URI). Strangely, Apple Safari doesn't complain so.
Well, fair enough, I assumed any globally trusted certificate would be fine to be installed at the websocket server side, to enable secure service (wss:// URI). However the company that maintains the socket server claims that they have to install there the very same certificate that secures my web application. I read in webs that the wss will not run with self-signed certificate, but nowhere that it must be the same certificate that the calling web site runs on.
Since we are talking sharing a certificate key file with 3rd party, I wanted to double check this. If my secure site runs at domain first.com, and the websocket server at IP address a.b.c.d, what kind of certificate should be installed on the websocket server to enable the communication? On one hand, that would be a kind of cross-site scripting, but perhaps the browser security model allows it, assuming the user knows what they want?
What I understand from above, the browser connects to your web application and is then redirected to the other server. If that be the case, then browser would complain about being redirected to unsecured site from a secured URL. The way forward actually depends on the domain of the server that the redirect is happening to, for example, if your main site has URL form www.mainsite.com and the target site has URL form abc.secondsite.com or an IP, the second server must have configured an SSL certificate that has been issued to either abc.secondsite.com of the IP i.e. the name of the host requested must match exactly with the SSL ceritficate that is provided by the secondsite.
The secondsite technically does not have to have the same certificate as your mainsite, it just have to be a certificate issued by a trusted source (like Verisign etc.).
On the other hand, if you have a wildcard subdomain certificate i.e. a certificate issues is valid for all the *.mainsite.com domains and the URL form of the secondsite is sub_domain.mainsite.com, then the same certificate can be used on both the servers.
Hope this helps.
thanks
Since we are talking sharing a certificate key file with 3rd party, I
wanted to double check this. If my secure site runs at domain
first.com, and the websocket server at IP address a.b.c.d, what kind
of certificate should be installed on the websocket server to enable
the communication? On one hand, that would be a kind of cross-site
scripting, but perhaps the browser security model allows it, assuming
the user knows what they want?
You cannot provide a certificate for an IP address. In order to use WSS:// you need to connect to a domain name, and have a valid certificate for that domain name. So you need a SSL certificate for the domain name of your WebSocket server.
As far as I know, it does not need to be the same than the one on the site. You can check by entering here: http://vtortola.github.io/ng-terminal-emulator/ and executing the command websocket wss://echo.websocket.org, you will connect to a WebSocket in websocket.org that echoes your inputs.
WebSockets are not constrained by the SOP (Same Origin Policy), you can connect anywhere, and the server is responsible of checking the HTTP request header "Origin" and accept or refuse the connection.
I am developing a Node.js app based on the Express framework. On the backend, I need to have servers talk to each other (ie. Server 1 make a request of Server 2).
Is it OK to forego a DNS A-Record and just use the IP address of the server?
In that case, how do I authenticate the server and "client" (aka server). I was thinking of requiring the server and "client" to each pass a secure cookie with their request and responses. The secure cookie would then be verified before any other action was taken.
Using a IP might be more secure then DNS (e.g. no DNS spoofing), but it still allows ARP spoofing, e.g. some other computer claims to have this IP. And in case both computers are not in the same network there are also ways to hijack requests in routers etc.
The secure cookie is nothing else as a shared secret. And contrary to public key based authentication (e.g. using certificates) shared secrets have the disadvantage that you need to distribute them in a secure way so that nobody else gets access to them.
I don't think that your idea is easier to handle than SSL with certificates, so I don't see an advantage of making your own secure protocols. History tells us, that such homegrown protocols mostly provide worse security than established solutions.
If you don't care about security (these hosts are on your network, in which you have trust), don't bother with the homebaked cookies.
If you do care about security get (or generate your own) certificate and use SSL.
I was thinking of requiring the server and "client" to each pass a secure cookie with their request and responses. The secure cookie would then be verified before any other action was taken.
This is not secure at all! Anybody situated on an appropriate network between the client and server can see that "secure cookie", as well as any subsequent communications. This would allow them to reuse that cookie themselves to impersonate either the client or server, and would expose any sensitive information sent in the exchange.
Use SSL. It has already solved all of these problems, and more.
I'm working on an app which uses NodeJS to (among other things) download some unencrypted PDF reports from the main website. Those resources are very much confidential so I need to make sure traffic is secured.
So from what I understand I need to buy and install an SSL certificate from a trusted CA and use https.request(...) in NodeJS to download the PDF files. But I have no idea how to ensure that the hosts file hasn't been tampered, or there's no on-going MITM attack, or even that the certificate is still valid, hadn't expired and is the one it has to be. How do I do this? Are there any config parameters?
Bonus if someone can please explain what prevents an attacker from buying an SSL certificate himself, host a local server with the same IP as the original site's external IP, and tamper a DNS's target to fool the user?
The idea is that you open the SSL connection, check the peer certificate, and only if it hasn't expired, is the one you expect, etc., do you proceed. Once you're happy that you're talking to who you should be talking to, SSL provides security against replays, men-in-the-middle, etc. HTTPs does a little bit of that for you by insisting that the certificate subject match the hostname you connected to. But most of it is up to you.
For an embedded device under development we have a requirement for logging in to its web without sending user credentials in clear text.
The look of the log in form should be customizable, so digest authentication is not possible. The only remaining option as we see it, is to use HTTPS with SSL.
The device is usually accessed from the local network by it's IP address, but could also be made accessible from the internet.
My question is: Is it at all possible to prevent the "Could not be certified" browser warning, when no DNS name is assigned to the locally accessed device? As I see it, a SSL certificate must be bound to a DNS name and certified at a Certificate Authority for the browser to fully accept the certificate.
I am fully aware of the fact that without a certified certification the browser can not authenticate the web server, which could lead to a "man-in-the-middle" attack.
When the device is fully configured it's only accessed very rarely, but it should be easily accessible.
HTTPS does allow for a certificate to be issued to an IP address instead of a hostname. Indeed, the HTTPS specification (RFC 2818) states "In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI."
So, if you can obtain an SSL/TLS certificate from a CA that is bound to the IP address of your device, then clients connecting to it should accept it as valid as (1) the URI used to access the device is the IP address that matches that contained within the certificate, and (2) the certificate is issued by a CA chain trusted by the client device.
If you only need to access this device using clients that you control, you can use a self-signed, bound to the IP address, certificate that you generate, but you would need to configure each client that would access it to explicitly trust that certificate since it would not be issued by a trusted CA.