[Interest] wss:// on localhost
Thiago Macieira
thiago.macieira at intel.com
Mon Aug 3 19:49:55 CEST 2020
On Sunday, 2 August 2020 16:09:32 PDT Hamish Moffatt wrote:
> On 3/8/20 9:05 am, Alexander CarĂ´t wrote:
> >> I repeat: whatever you do, don't ship a private key.
> >
> > Allright - will consider alternative ideas.
>
> Consider generating your own root CA certificate and asking your users
> to install that in their browser. Then sign the site certificate (for a
> non-existent, non-registerable domain) with that.
Sorry, I might be missing some critical piece of information: is it a browser
that is connecting to your websocket service? I thought it was a web view,
whose CA list you could control.
If you can't programmatically control the CA list of the WS client, then I
don't see a secure solution. Doing what Hamish just suggested is not a good
idea either, as becoming a CA has huge implications. If you get hacked, then
your clients can get hacked too. And you become a target of hacks because your
clients are installing your root CA.
My suggestion of generating on each client works only so long as you control
both sides of the websocket connection (client and server).
--
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel DPG Cloud Engineering
More information about the Interest
mailing list