[Interest] wss:// on localhost
Alexander Carôt
alexander_carot at gmx.net
Sun Aug 2 20:12:41 CEST 2020
> I don't think this is a good idea. You might be violating the terms of service
> of your certificate provider by doing that. Please check with them.
In fact I already did - nobody has a concern about it. This traffic is completey running on localhost - so nobody apart from the user itself is affected. This approach simply shall satisfy the browser to launch the localhost websocket.
Best
Alex
--
http://www.carot.de
Email : Alexander at Carot.de
Tel.: +49 (0)177 5719797
> Gesendet: Sonntag, 02. August 2020 um 19:24 Uhr
> Von: "Thiago Macieira" <thiago.macieira at intel.com>
> An: interest at qt-project.org
> Betreff: Re: [Interest] wss:// on localhost
>
> On Friday, 31 July 2020 23:53:08 PDT Alexander Carôt wrote:
> > Eventually we figured the ideal solution:
> >
> > We ordered a certificate for a sub-domain of our main domain and made the
> > DNS point to localhost.
> >
> > This way we can address our localhost connection via
> >
> > localhost.ourDomain.net
> >
> > This works perfectly without any user interaction - thanks a lot to all of
> > you for you inspiration !
> >
> > Of course now I have to deal with the tiny details which I will raise in
> > another email in a bit :-)
>
> I don't think this is a good idea. You might be violating the terms of service
> of your certificate provider by doing that. Please check with them.
>
> I can see a big attack vector with the information you provided. Since this
> certificate's private key is distributed with your application, anyone who has
> this application can extract the private key and create a web service
> impersonating this domain name. If they can compromise DNS at any level
> leading to the user (your server, the user's ISP or locally on their machine),
> they can redirect traffic to this domain to their servers on the Internet. And
> since the certificate is trusted by the browsers, they wouldn't be able to
> tell something was wrong.
>
> So PLEASE reanalyse your solution. You MUST NOT ship the private key with your
> application. That key must be generated on the user's machine.
>
> --
> Thiago Macieira - thiago.macieira (AT) intel.com
> Software Architect - Intel DPG Cloud Engineering
>
>
>
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> https://lists.qt-project.org/listinfo/interest
>
More information about the Interest
mailing list