[Interest] wss:// on localhost
Alexander Carôt
alexander_carot at gmx.net
Sun Aug 2 20:43:42 CEST 2020
P.S.: Also I don't see a way to get access to the key - it is compiled into the binary and on top of it it's triple-secured/encypted. This is what we made sure of course. We had lot of talks with several security experts and the common opinion was "well - it's all localhost traffic which per se is secure. So here we basically have to make sure that the browser is not complaining".
--
http://www.carot.de
Email : Alexander at Carot.de
Tel.: +49 (0)177 5719797
> Gesendet: Sonntag, 02. August 2020 um 20:12 Uhr
> Von: "Alexander Carôt" <alexander_carot at gmx.net>
> An: "Thiago Macieira" <thiago.macieira at intel.com>
> Cc: interest at qt-project.org
> Betreff: Re: [Interest] wss:// on localhost
>
> > I don't think this is a good idea. You might be violating the terms of service
> > of your certificate provider by doing that. Please check with them.
>
> In fact I already did - nobody has a concern about it. This traffic is completey running on localhost - so nobody apart from the user itself is affected. This approach simply shall satisfy the browser to launch the localhost websocket.
>
> Best
>
> Alex
>
> --
> http://www.carot.de
> Email : Alexander at Carot.de
> Tel.: +49 (0)177 5719797
>
>
> > Gesendet: Sonntag, 02. August 2020 um 19:24 Uhr
> > Von: "Thiago Macieira" <thiago.macieira at intel.com>
> > An: interest at qt-project.org
> > Betreff: Re: [Interest] wss:// on localhost
> >
> > On Friday, 31 July 2020 23:53:08 PDT Alexander Carôt wrote:
> > > Eventually we figured the ideal solution:
> > >
> > > We ordered a certificate for a sub-domain of our main domain and made the
> > > DNS point to localhost.
> > >
> > > This way we can address our localhost connection via
> > >
> > > localhost.ourDomain.net
> > >
> > > This works perfectly without any user interaction - thanks a lot to all of
> > > you for you inspiration !
> > >
> > > Of course now I have to deal with the tiny details which I will raise in
> > > another email in a bit :-)
> >
> > I don't think this is a good idea. You might be violating the terms of service
> > of your certificate provider by doing that. Please check with them.
> >
> > I can see a big attack vector with the information you provided. Since this
> > certificate's private key is distributed with your application, anyone who has
> > this application can extract the private key and create a web service
> > impersonating this domain name. If they can compromise DNS at any level
> > leading to the user (your server, the user's ISP or locally on their machine),
> > they can redirect traffic to this domain to their servers on the Internet. And
> > since the certificate is trusted by the browsers, they wouldn't be able to
> > tell something was wrong.
> >
> > So PLEASE reanalyse your solution. You MUST NOT ship the private key with your
> > application. That key must be generated on the user's machine.
> >
> > --
> > Thiago Macieira - thiago.macieira (AT) intel.com
> > Software Architect - Intel DPG Cloud Engineering
> >
> >
> >
> > _______________________________________________
> > Interest mailing list
> > Interest at qt-project.org
> > https://lists.qt-project.org/listinfo/interest
> >
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> https://lists.qt-project.org/listinfo/interest
>
More information about the Interest
mailing list