[Interest] wss:// on localhost
Thiago Macieira
thiago.macieira at intel.com
Sun Aug 2 19:24:10 CEST 2020
On Friday, 31 July 2020 23:53:08 PDT Alexander CarĂ´t wrote:
> Eventually we figured the ideal solution:
>
> We ordered a certificate for a sub-domain of our main domain and made the
> DNS point to localhost.
>
> This way we can address our localhost connection via
>
> localhost.ourDomain.net
>
> This works perfectly without any user interaction - thanks a lot to all of
> you for you inspiration !
>
> Of course now I have to deal with the tiny details which I will raise in
> another email in a bit :-)
I don't think this is a good idea. You might be violating the terms of service
of your certificate provider by doing that. Please check with them.
I can see a big attack vector with the information you provided. Since this
certificate's private key is distributed with your application, anyone who has
this application can extract the private key and create a web service
impersonating this domain name. If they can compromise DNS at any level
leading to the user (your server, the user's ISP or locally on their machine),
they can redirect traffic to this domain to their servers on the Internet. And
since the certificate is trusted by the browsers, they wouldn't be able to
tell something was wrong.
So PLEASE reanalyse your solution. You MUST NOT ship the private key with your
application. That key must be generated on the user's machine.
--
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel DPG Cloud Engineering
More information about the Interest
mailing list