Opera security and sites that resolve to both public and private IPs - security

I have a Rails 3.0.x app, which displays a page containing the Yahoo Web Player. The player plays an audio file served by the Rails app, the controller that handles the file request uses send_data to send the mp3 file:
send_data content, :filename=>dsLabel, :type=>mimeType, :disposition => 'attachment'
(*) I've also tried disposition inline
This works fine on Safari, IE, and FF. However, in Opera you click the play button and the audio never plays, Yahoo's code is minified and a bit difficult to tell exactly what's wrong, but I've concluded this isn't javascript problem as far as I can tell.
One thing to note about the site is that when I'm locally on the same network at work, our DNS server resolves the site to a 10.x.x.x LAN IP, otherwise it resolves to a public IP.
In Opera if I open Preferences and add the hostname under Trusted Websites->Secure Internal Hosts then reload the page the audio plays fine. If I change my DNS to OpenDNS it also plays fine. I seem to be hitting a Opera security policy issue that I don't fully understand.
It seems to me that although internally my host resolves to a LAN IP, once loaded Opera thinks its a public site, and so the MP3 won't download, however it too resolves to the LAN IP so it doesn't seem like a public/private divergence.
I was hoping someone in the Stackoverflow community with better understanding of Opera security could explain the policy I'm seeing enforced here.

You may have ran into a "network type pinning" policy. Basically Opera will try to remember whether some site first resolved to a public or private IP.
This policy is meant to guard against attack where a site first sends you some code, then later re-configures itself to claim its IP address is internal. Say, attack.example.com serves a page that links to attack.example.com/intranet/menu.js , later when you re-visit attack.example.com pretends its IP is 10.0.0.1 where your intranet is running, and your intranet also happens to reference an /intranet/menu.js file. If menu.js now runs from cache it can do whatever it wants to on the intranet site. Attack completed.
Hence, Opera may not be applying the security policy according to what IP you're currently connecting to, but according to what IP it first saw the hostname resolve to. Sorry that this is a pretty obscure piece of state, but you're in a pretty small minority when you have some hostname that might resolve either to a private or a public address ;-)

Related

How do I add a legitimate common name to an openssl certificate

I'm running a Node.js server for my college final year project. It's running on my local machine and I'm accessing it via the machine's private IP address. The application needs to record a short snippet of audio and send it back to the server, which will then send back a result based on the content of the audio file. Because the browser needs access to the microphone, it has to be HTTPS, even though I am not dealing with any sensitive information or even opening it to the internet. I just need to show it working at a demonstration, which I can do on a local network.
After hours of trial and error I managed to modify my current application to use HTTPS using a self signed certificate as described here. I can now access the web page over HTTPS (albeit with a huge red "This page is not actually secure" warning that I have to accept first) and chrome will grant me access to the microphone. However, when I click the button that sends a post request with the audio, chrome gives me either
POST https://192.168.178.30:8443/notes net::ERR_CERT_AUTHORITY_INVALID
or
POST https://192.168.178.30:8443/notes net::ERR_CERT_COMMON_NAME_INVALID
I have installed the cert as a trusted root certificate as outlined here.
I set the common name on the cert as the IP address (192.168.178.30) but chrome still won't accept it, and I don't have a domain name (it's running locally).
So my question is: how do I either make a trustworthy OpenSLL certificate, or force chrome to ignore such errors. I have a day to get this working along with other aspects of the application so I ned a quick fix. This is for the purpose of a demonstration, it is not going live to the internet.

403 Forbidden - ONLY from my computer

Problem: when I visit particular url the site goes white and the title of the tab says "403 Forbidden" and nothing else happens.
I wanted to ask the forumees here about this weird problem when I, and I solely, cannot access one particular website, until I've run right into very same problem with yet another site just now.
Apparently the problem lies with my computer, and my computer only.
The site IS accessible by everyone except of me.
I cleaned the cache, removed all sh!t files, restarted the modem and the computer couple of times already, to no avail.
I can access those sites via my phone, I can access them from anywhere else but! my computer.
Has anyone stumbled upon such a problem?
There could be a variety of reasons behind this. Your browser, a browser extension, IP address shitlisted for some reason (usually spamming), some sort of virus that gets detected by remote antiviruses and block your connections, some adware or spyware that rewrites your requests...
It's also possible that if you only have problems with those two websites and especially if you did something you were not supposed to, maybe they just blocked you out.
So try using a proxy server or a VPN like strongvpn. If it works then at least you know it's got something to do with your IP address.

Detect that a Browser is on the Intranet

I've got a requirement to detect if a webpage is being served on the internet or intranet, i.e. assuming a url of https://accessibleanyway.com, is the phone connected to the work wifi or to something else like their home wifi or the phone network?
What different ways are there to do this?
(1) Use WebRTC to get the local ip address. Not widely supported
(2) Try to access a local web page using jsonp/cors/iframe
The problem with 2 is that the webpage is https and the local resource is likely to be http which you can't do in IE afaik. If I make the local resource https then it's via a self cert which means installing CAs on the phones (can you buy certificates for the intranet anymore?)
Any suggestions?
The problem with (2) was that the same page was trying to use http and https, and even with an iframe you get issues.
What you could do instead is start on a http loading page, use an iframe to access a local resource which you can only access if you are on the intranet, jsonp will work fine for this. Once that's worked or failed, redirect to your start page with some token in the querystring to indicate that you are on the intranet or not
NB jumping from http to https would probably have some security issues if you are on the same website (authentication cookies being initially visible), but I would have thought it would be fine if you are going to a different one
Obviously there'll be some security needed around the token as otherwise the user could just generate their own but that's a different matter which depends on individual setups. It would obviously have to be generated by a server call, otherwise someone could just read the client code.
NB I think the IP address approach is never going to work as you have no way of knowing what a companies intranet setup looks like until you go there, so it's not a generic answer

How to prevent SSL urls from leaking info?

I was using google SSL search (https:www.google.com) with the expectation that my search would be private. However, my search for 'toasters' produced this query:
https://encrypted.google.com/search?hl=en&source=hp&q=toasters&aq=f
As you can see, my employer can still log this and see what the search was. How can I make sure that when someone searches on my site using SSL (using custom google search) their search terms isn't made visible.
The URL is sent over SSL. Of course a user can see the URL in their own browser, but it isn't visible as it transits the network. Your employer can't log it unless they are the other end of the SSL connection. If your employer creates a CA certificate and installs it in your browser, they could use a proxy to spoof Google host names, but otherwise, the traffic is secure.
HTTPS protects the entire HTTP exchange, including the URL, so the only thing someone intercepting network traffic will be able to determine is that there was communication between the browser and your site (or Google in this case). Even without the innards, that information can be useful.
Unless you have full administrative control over the systems making the queries, you should assume that anything transpiring on them can be intercepted or logged. Browsers typically store history and cache pages in files on the local disk which can be read by administrators. You also can't verify that the browser itself hasn't been recompiled with code to log sites that were visited, even in "private" mode.
Presumably your employer provides you with a PC, the software on it, the LAN connection to its own corporate network, the internet proxy and corporate firewall, maybe DNS servers, etc etc.
So you are exposed to traffic sniffing and tracing at many different levels. Even if you browse to a url over SSL TLS, you have to assume that the contents of your http session can be recorded. Do you always check that the cert in your browser is from google and not your employer's proxy? Do you know what software sits between your browser and your network card, etc.
However, if you had complete control over the client, then you could be sure that no-one external to your https conversation with google would be able to see the url you are requesting.
Google still knows what you're up to, but that's a private matter between your search engine and your conscience ;)
to add to what #erickson said, read this. SSL will protect the data between the connected parties. If you need to hide that link from the boss then disable the browser caching of the sites visited, i.e. disable or delete the history data.

Why a same url opens different web pages?

I am facing a strange thing when i open some URL. The URL is (www.jobserve.com)
When i open this URL from my home, it opens some web page. Same url if i open from my office network, i get a entirely differnt URL, which is what i want.
Both, my home and office are in same city in India(3 Km. apart!) but somehow from my home network, i get served a entirely different page which is not what i am trying to open.(The page opening up in the office one is desired one. Office network has proxy/firewall which could be shielding the IP address for opening to outside world!).
My question is why is it happening so, because both accesses are happening from same country/city(but different ISPs though!), so there cannot be a country/IP specific host/content served differently than the global content of the same server.
So what could be happening here?
This raised another question in my mind(when i tried to find ip of the server using nslookup and domain name which returned error - "can't find www.jobserve.com/: Non-existent domain"):-
How can i find IP address of the web server using the domain name other than nslookup which is not working for this particular domain/url?
I recall there were some sites which find geographical location of server and show that pictorially, but i am not able to recall the url for that? Does anyone know?
Thanks,
-AD.
Some sites look at the incoming IP address, lookup where it's coming from and then take various actions they think relevant to you - usually, redirecting you to a more-local site.
Of course, lots of sites react if they think they've "seen you before." For example, there may be cookies that tell them something about you. Or, they may be reacting to your browser.
Sometimes, organizations look at the source IP address and if it's coming from a business they may respond differently than if it's from a non-business ("home") IP.
And, sometimes companies intercept IP traffic and edit it in various ways. This is not normally done to web pages, but if your employer isn't happy with your watching porn at work ( -smile- ), they may do something about it! ...China is well known for doing this type of interception...
I work for an UK based company and all my regional settings are UK based. Moreover the internet is itself from UK so all websites act as if I am from UK.
Google.com goes to google.co.uk
virgin, T mobile ads every where
Does this give any idea about why you are getting a different website in office?
For finding the IP address: don't use a slash. Just
nslookup www.jobserve.com
Alternatively, you can use a website like http://www.domaintools.com/ (there are many others, that's just the first one that comes to my mind).

Resources