WebScarab, HTTPS and github - security

Ok this is weird, I'm using WebScarab to analyse some HTTPS traffic.
Every time I trie to access an HTTPS website, I'm asked to add an security exception (which is ok and works).
The problem is, when I trie to access https://github.com there is no way to add an exception for it. So I just can't surf over github.com using WebScarab as proxy.
And idea why this is happening?
UPDATE:
I tried again using Firefox (29.0.1 just updated) on OS X (10.9.2) using webscarab (1.0 (1.0) master version) and it now works (I don't know maybe I did something wrong).
Anyway, I still have a problem with Kali Linux and Iceweasel (22.0) using webscarab (again master version). This is what I see

You are getting this warning message since Webscarab using the self signed certificate to connect the https website.
In latest version of browser FF or IE , browser restricts the option to skip for self signed certificate.
Solution:
You can try in lower version of FF or IE.

Related

Internet Explorer blocks request to https://localhost

My application runs on localhost (both front-end and back-end, but on different ports). FE runs on http, but BE is on https.
All modern browsers allow adding exception so that https://localhost is accessible.
Except IE and Edge.
I've tried every option I have came across but none worked. I've added both http and https versions of localhost to Trusted Servers under "internet options". Did not work. I've checked host file, cleared cache, checked security options ...
What baffles me is that the request should be POST, but somehow the IE network panel shows it as GET. Other browsers send OPTIONS followed by POST, but IE fires GET and blocks it. It never hits the server.
What should I do to fix this?
And yes, unfortunately I DO HAVE TO support old IE, damn!
Whoa, solved by accident.
There is also Swagger running on my BE localhost. When I've tried to access it in IE, it showed warning about the invalid certificate. And only then was I able to install that certificate to IE, so that even IE would accept it.
So now when IE finally has the certificate, the request passed.
No usefull error message has been shown at all, so it took me considerable time to solve it. Damned IE.

Detect that a Browser is on the Intranet

I've got a requirement to detect if a webpage is being served on the internet or intranet, i.e. assuming a url of https://accessibleanyway.com, is the phone connected to the work wifi or to something else like their home wifi or the phone network?
What different ways are there to do this?
(1) Use WebRTC to get the local ip address. Not widely supported
(2) Try to access a local web page using jsonp/cors/iframe
The problem with 2 is that the webpage is https and the local resource is likely to be http which you can't do in IE afaik. If I make the local resource https then it's via a self cert which means installing CAs on the phones (can you buy certificates for the intranet anymore?)
Any suggestions?
The problem with (2) was that the same page was trying to use http and https, and even with an iframe you get issues.
What you could do instead is start on a http loading page, use an iframe to access a local resource which you can only access if you are on the intranet, jsonp will work fine for this. Once that's worked or failed, redirect to your start page with some token in the querystring to indicate that you are on the intranet or not
NB jumping from http to https would probably have some security issues if you are on the same website (authentication cookies being initially visible), but I would have thought it would be fine if you are going to a different one
Obviously there'll be some security needed around the token as otherwise the user could just generate their own but that's a different matter which depends on individual setups. It would obviously have to be generated by a server call, otherwise someone could just read the client code.
NB I think the IP address approach is never going to work as you have no way of knowing what a companies intranet setup looks like until you go there, so it's not a generic answer

Webrtc video chat doesn't works in my IP?

WebRTC video chatting application runs perfectly fine in local host. but when I try to run the same code in a specific IP im not able to perform the same task,
Error : getUserMedia() no longer works on insecure origins
Any ideas on how can I fix this issue?
In the recent chrome release getUserMedia() is deprecated on insecure origins to improve browser security.
Deprecating Powerful Features on Insecure Origins.
You can disable this by opening the chrome with following flags.
You can run chrome with the --unsafely-treat-insecure-origin-as-secure="example.com" flag (replacing "example.com" with the origin you actually want to test), which will treat that origin as secure for this session. Note that you also need to include the --user-data-dir=/test/only/profile/dir to create a fresh testing profile for the flag to work.
To open chrome with above flags refer this.
If you want to make this work in production without any of this workarounds, you should buy a ssl certificate and setup HTTPS connection on your server.

SSL certificate error for IE users only

I recently migrated to a new server (CentOS with plesk 11.0) and installed a new SSL certificate for my domain.
Problem now is that any IE user has the error "there is a problem with this website's security certificate" when they try to access the secure area of my site.
I've tested all main configurations - MAC/Windows/mobile plus browsers: FF,Chrome,Safari,Opera,IE and the only combination that gives me this problem is IE on windows. IE 11 works fine, all previous versions (the majority) come up with this error.
where do I start?? I can find no problem with the installation and this is obviously denting confidence in my site.
There are some known issues with IE and Certificates. Check these threads.
1) https://superuser.com/questions/379601/internet-explorer-refuses-to-connect-to-sites-with-untrusted-ssl-certificates
2) IE8 SSL Cert Problems while other browsers work like a charm
I found a work around for this issue. It is necessary to run https proxy which will accept certificate for Internet Explorer. I use a Python HTTP/HTTPS Proxy proxpy. You should point to required certificate file in core.py DEFAULT_CERT_FILE = "./cert/ncerts/proxpy.pem". So you need to use proxy settings in Internet Explorer. It is 127.0.0.1:8080 for ProxyPy by default.

Neo4j running behind proxy on IIS

What's required to setup Neo4j behind IIS proxy server?
I am running into the issue listed here: https://github.com/neo4j/neo4j/issues/112
Error message (Chrome console):
displayed insecure content from =1363713541737">http://xyz:7474/db/data/?=1363713541737
xyz is the server name.
Thanks
Considering the GitHub issue is still open, you can assume that this is not currently supported and no workaround has been supplied by Neo.
If you want to persist ahead, you will need to rewrite the content passing through the proxy.

Resources