I am building an application that can receive requests from a website to perform functionality not available in a browser. I accomplished this using a Tcplistener and then call in to it by performing ajax calls with jquery using jsonp. This is fine and works well, the problem now however is that the website also has to be able to use HTTPS, this results in a warning when making ajax calls that are not encrypted which is not desirable.
Is it possible to use https to make calls to my application without having a certificate registered on the users pc, as my application is I guess the server.
I hope that makes sense and I am not being stupid.
Many Thanks
This answer is for C# .NET
For HTTPS calls, the example is provided on MSDN using TCP Listner and TCP Client.
https://learn.microsoft.com/en-us/dotnet/api/system.net.security.sslstream?redirectedfrom=MSDN&view=netframework-4.7.2#Anchor_5
When doing sslStream.AuthenticateAsServer(serverCertificate, ..) you should load a PFX file along with password, instead of CER file, then it will not require registration on client machine.
Related
I want to create an architecture as below
Web browser sends an http request. Web server accepts it and returns response to the another port to client machine. Windows service setted up at client machine will accept this reponse and process it.
I want to realize the project via Java applet. But Chrome doesn't support NPAPI. And Firefox also will terminate the support till the end of 2016. Therefore I decided to solve my problem by above way.
How can I realize it?
We are using a program that runs on the client machine to control its devices (scanner, printer, etc).
On the server side, a .net website generates javascript to call methods of that program using cross-domain.
A schema will explain it better, the command request and response is in red:
Problem comes when we talk about security, any website (which does not belong to us) could use cross-domain to call our program and possibily execute anything.
I have no idea how to make it secure, we would like to make sure the command has been initiated by our servers.
Is there any already existing pattern for this kind of security behaviour ?
If not, any suggestion is welcome.
When the client browser connects it can get a token(SSL?) from the company lan, which could be passed to the executable. executable then sends token to company lan for verification.
I wanted to know what is the best way to write an agent on Win platform that will be able to monitor browser's communication.
scenario: monitor the user access to predefined url on Chrome, FireFox and IE. On each hit I send the stats to a server with some data (page title).
The ways I found so far are proxy and browser addons. Each has it's own advantages and disadvantages. The main disadvantage of the proxy way is handling of HTTPS communication. The addon disadvantage is the installation (need to install on every browser) and cross-browser support.
Is there another way? some service I can write with .net that will automatically hook on a browser when it is started?
Thanks you.
You do have only two choices - an http proxy, or to write a plugin for every browser. That plugin could just forward data via network to a central service, leaving you with the challenge of coming up with a common set of data that all browsers can provide, plus learning all the plugin models.
In my opinion, though, the only real option is an HTTP(s) proxy because otherwise you have to keep updating your plugins every time browsers change, or deal with the fact that new browsers can come along and be used.
Certainly you won't find a 'user is browsing a url in some browser' event in the OS - all it knows is that a socket connection has been opened on some local port to a remote server's port 80/443 (or whatever).
So I strongly suggest building on top of the excellent work that's behind Fiddler and use the Fiddler Core.
http://www.telerik.com/fiddler/fiddlercore
For https you have to decrypt and re-encrypt with a different certificate. The information that you need is just not available without actually unpacking the request. Fiddler achieves this by opening it's own SSL tunnel to the target server on the client's behalf, whilst acting as an SSL server to the client under a different certificate. So long as the certificate that it uses is fully trusted by the client, no problems occur.
That said, it means that the user cannot personally verify the identify of the target site - therefore your system would have to assume worst case scenario for any invalid SSL certificates and block the connection.
BACKGROUND INFORMATION: PROGRAM WRITTEN IN C#
I'm working on a program right now that connects through a SOCKS5 proxy (coded from scratch. works well enough.), but I'd also like to (through that proxy) communicate to a DESTINATION through SSL.
I've done some research, googled many a time, and have come to the conclusion that SslStream won't be ideal for my situation. I NEED to first authenticate with the SSL through the proxy, and THEN start sending encrypted packets, once I receive the key.
QUESTIONS:
How can I encrypt my packets with TLS in C#? For some reason I can't at all figure it out. I'm stuck! :(
What is the raw syntax required to even REQUEST said SSL certificate?
You might want to have a look at the TLS implementation in the open source Bouncy Castle cryptography library. If it won't work as-is, you can hack it into doing what you need. If you want to deep-dive the specification itself, you'll find it as IETF RFC 5246.
As you've probably discovered, though, doing any portion of the connection setup work yourself leaves you with no way to use the WebRequest family of classes to handle the HTTP portion of the protocol work. That leaves you with two options I can see: do the HTTP yourself as well (I found a trivial example HTTP client floating around the net), or change the current user proxy server settings
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000001
"ProxyServer"="socks=socks.example.net:1080"
then send the request normally using the WebRequest classes.
I'd like to offer you SSLBlackbox package of our SecureBlackbox product. Among numerous other components it has a simple SSL client component that is socket-based, can connect via different proxies (SOCKS, HTTPS CONNECT) and supports all features of SSL/TLS up to TLS 1.2. If you need more control, you can use any custom socket, and not just built-in socket support. This lets you use the components for securing traffic that goes not via sockets at all (pigeon mail can be secured this way as well).
An HTTPS client is available and included into SSLBlackbox as well.
I have a standard web server that serve web pages.
I want to monitor traffic on port 80, intercept every http responses, and add/inject an additionnal header to them.
The process will then act like a proxy between the web server and the client.
Could you please give me some pointers? I'm already aware of SharpPCap, but I'm not sure where to start.
Note: I can't rely on the web server, I can't control it or change it's configuration. However I can install any other process on the same machine.
Thanks a million
I think that SharpPCap is an overkill here.
Try:
listen on a port (say 8080)
for each incoming connection, accept and open one to the server (original one, port 80)
pass everything that comes in from the client straight to the server
pass everything that comes from the server back to the client, monitoring the stream and injecting/modifying if needed
I think what you want to do can be done with IIS 7.0 URL Rewrite module instead of rolling your own code.
http://learn.iis.net/page.aspx/711/modifying-http-response-headers/