Please excuse any ignorance on my part, I am very new to SSL and Javascript, so what I am asking may be obvious. I have tried to Google but can't seem to find the answer to my question.
Background
Basically, I have a website, with a subdomain that holds a rental car booking engine in an iframe, which is called from an external location using Javascript. We recently moved to SSL and now the booking engine does not display as it is deemed unsecure by web browsers.
I contacted the company that manages the booking engine and they advised that I needed an SSL for the subdomain, which they can load at their end as well (I bought a single domain, not a wildcard, my mistake), and I needed to purchase a static IP on their server. They sent me a quote for €130 per year for and a static IP.
My very limited knowledge of SSL seems to suggest that a static IP is not required, however I am probably wrong about this.
Question
Do I need the static IP for the SSL to work, or will the wildcard SSL resolve the issue?
I understand that the SSL for the subdomain is required, I just can't find an answer for the static IP.
Basically, I don't fully trust the company as they have tried to add unnecessary charges to invoices in the past.
Thanks in advance
Yes, you have to add SSL certificate to your subdomain to make browsers detect its safe, since the calls will be made to a non SSL domain from a SSL certified domain. I would suggest you to take a look at Lets Encrypt which provides free ssl and you can add as much sub domains as you want. I am using it for one of my projects and have added more than 5 ssl certifactes for subdomains.
Related
I have searched and searched but everything I seem to find on this topic is regarding setting up a node express server to use HTTPS, and this is NOT what I am trying to achieve.
I would like to know, regardless of using HTTPS or not, is it safe (and more importantly good practice) to pass in client x.509 certificates into a post request, and then parse and use the client certificate.
If I could provide an example that may help.
I have a simple medical application where users authenticate to a node express route using username and password, also, I already have HTTPS configured and working.
However, later in the stages of using the client application, I need the user to be able to pass in their x.509 certificate, and allow data to be verified with their public key.
Now, I understand that authentication is carried out at the initial connection for https, but this is different, so I was thinking I could pass the users certificate as a json object and create/use the certificate in the express route.
At first thought this should be fine as the certificate is public, and we have already established a secure endpoint, however, I am very surprised that I am not able to find any examples or tutorials on this, so perhaps for some reason I am not aware, this is not best practice?
Any advice or guidance would be great.
Thanks in advance.
Regards
Steve
If you do not do mTLS (via HTTPS) you will need to develop a protocol to authenticate the user who presents the certificate is in-fact the private key holder. This is not trivial to get right, not doing this means you will be exposed to trivial spoofing attacks.
I'm running a web app where users can request a map with their position through gps. In order to do that browsers like Chrome and Safari require an HTTPS protocol, not just http, otherwise call to JS function "getCurrentPosition" will fail. (but on Firefox, for example, it's working)
First question: are there any other possibilities to get user location (through gps, not just by ip)?
If not, the only way (I think) is to switch to https.
Now, app is running on a cheap shared hosting (and I can't do anything about that right now), the only thing that I can do is purchase an SSL certificate in order to enable https protocol.
Second question: hosting offers both ssl certificate with dedicated ip and without dedicated ip. Which is the difference? Well, I know what's a dedicated ip, but for my needs (website + this small app) which advantage could I have from a dedicated ip?
Third question: if I choose a certificate from another CA then I need root access to server in order to install it, is it right?
Last one: some hostings offer SSL with identity verification and without it, how theese last work? I mean, https should't guarrantee encrypted connections with a verified website?
If you have any links please post them, most of resources that I found are too old and they don't talk about acquiring gps data with JS.
Thanks a lot!
EDIT: just for completion: this page is about this deprecated js call for non-secure site. Are there other possibilites to get same result?
First question: are there any other possibilities to get user location
(through gps, not just by ip)?
You can track users’ real time location by using Google Maps APIs, I hope below links will help you.
Using Google Map Tracks API
https://developers.google.com/maps/
Second question: hosting offers both ssl certificate with dedicated ip
and without dedicated ip. Which is the difference? Well, I know what's
a dedicated ip, but for my needs (website + this small app) which
advantage could I have from a dedicated ip?
In the past, SSL requires dedicated IP to secure web applications. But in the mean time, SSL doesn’t require dedicated IP due to SNI technology. If your website hosted on shared IP address, then SNI permits a server to implement multiple certificates on a single IP address.
There are plenty of advantages using a dedicated IP instead of shared IP - read this article
Third question: if I choose a certificate from another CA then I need
root access to server in order to install it, is it right?
Whether you continue with current provider or new one, you don’t need root access of server in order install an SSL certificate.
Last one: some hostings offer SSL with identity verification and
without it, how theese last work? I mean, https should't guarrantee
encrypted connections with a verified website?
All SSL certificates are come with industry standard 256 bit encryption and ensures about encrypted connections. There is varying upon their validation process as below.
Domain Validation Certificates - CA will follow automated validation process and confirm only your control over the domain. You will get this certificate in just minutes.
Business Validation Certificates - CA will check your business existence by verifying official documentations. CA will take 2 to 3 business days to issue your certificate.
Extended Validation Certificates - CA will follow strict validation process and validate legal, physical and operational identity of business. EV SSL will enable most visible sign “the company name in the green address bar”, it will increase trust of your website visitors.
I hope this will helpful for you!
So with all the new stuff like notifications and offline caching available now with the service worker api I've been looking to add it to my web app.
The only thing is I can't seem to figure out is how to deal with the the https/ssl issue.
My site allows people to host websites in an online no code environment. New sites are accessed by subdomains off the main domain. This by itself I can only see requiring a wildcard subdomain ssl cert.
The complication I'm facing is that premium sites can add their own top level domain. Which will break the service worker as far as I can tell.
All these sites only require the user to sign up once so users are shared between sites and you can also get your notifications and messages cross site.
I would like to take advantage of the notifications part of the api for mobile but I'm going to need to get around this issue first.
Any help or enlightenment on this would be much appreciated :).
As Alex Russel pointed in his article:
Service Worker scripts must be hosted at the same origin
and Service Worker can't work outside its scope. Subdomains are not the same origin, so you'll need specific worker for specific client's page.
However, I can't see a problem here - when someone will enter yourpremiumclient.com, DNS server (ex. cloudflare, which offers free HTTPS and can force HTTPS) will point to your server, where worker could install and control this domain scope. Of course, the same worker won't be able to control your default scope ex. yourclient.yourdomain.com.
Greetings all,
I would very much like to determine the IP# of a domain from client script.
It's for use in a testing application to determine whether or not a certain domain is set to a QA address as opposed to the address live on the . The testing machine will have it's host file set to resolve a domain to the QA address.
Pinging from the server won't help since the server is getting the public DNS address.
Is this possible in JavaScript? Maybe a Flash could do the trick?
Have a look at Smart IP Api. Seems to do everything you're looking for and has some simple tutorials.
Suppose:
You have a website http://www.example.com that redirects to a project on Google App Engine (i.e. example.appspot.com);
you want communications to pass between the user over SSL (i.e. https://example.appspot.com); and
You want the domain to be shown to the user to be *://www.example.com (i.e. not https://example.appspot.com).
Given that Google's Appspot HTTPS support only works for https://example.appspot.com (i.e. you cannot set up https://www.example.com with GAE), I'd like to have an Ajax solution, namely:
http://www.example.com serves HTML and Javascript over http
Ajax requests go over SSL to https://example.appspot.com
My question/concern is: How does one ensure that the users logged into http://www.example.com (by way of Google's users API) pass their authentication credentials over Ajax to https://example.appspot.com?
This seems to be a violation of the same origin policy (which may or may not be a concern for the Google Users API), so how would one know what user is logged in to example.com for the Ajax requests to example.appspot.com?
Thoughts, comments and input is quite appreciated.
Thank you.
Brian
There are ways to work around same-origin when both sites cooperate, e.g. see this post, but only trial-and-error will reveal which techniques do work for your specific requirements (it may depend on how strictly the user has set security safeguards in their browser, as well as on server-side implementations).
You can try using JSONP to get around the around that. However JSONP doesnt have very good error recovery like JSON does when doing XHR calls.
Wouldn't it be far simpler to use frames? Serve up a single full-size frameset from yourdomain.com containing content from https://yourapp.appspot.com/.
Note, though, that either solution has the problem that users see an unsecured site, not a secured one.
example.appspot.com does not share any cookies with example.com - it will be impossible for you to identify the user without making them sign-in on example.appspot.com as well.
you could, of course, completely ditch Google Authentication on example.appspot.com and implement your own scheme; you could append a signature and the username to the AJAX requests you create and verify that signature on your app-engine app. if the signature is valid, just accept the user that was passed in as the authenticated user and pretend he logged in.