I'm running a web app where users can request a map with their position through gps. In order to do that browsers like Chrome and Safari require an HTTPS protocol, not just http, otherwise call to JS function "getCurrentPosition" will fail. (but on Firefox, for example, it's working)
First question: are there any other possibilities to get user location (through gps, not just by ip)?
If not, the only way (I think) is to switch to https.
Now, app is running on a cheap shared hosting (and I can't do anything about that right now), the only thing that I can do is purchase an SSL certificate in order to enable https protocol.
Second question: hosting offers both ssl certificate with dedicated ip and without dedicated ip. Which is the difference? Well, I know what's a dedicated ip, but for my needs (website + this small app) which advantage could I have from a dedicated ip?
Third question: if I choose a certificate from another CA then I need root access to server in order to install it, is it right?
Last one: some hostings offer SSL with identity verification and without it, how theese last work? I mean, https should't guarrantee encrypted connections with a verified website?
If you have any links please post them, most of resources that I found are too old and they don't talk about acquiring gps data with JS.
Thanks a lot!
EDIT: just for completion: this page is about this deprecated js call for non-secure site. Are there other possibilites to get same result?
First question: are there any other possibilities to get user location
(through gps, not just by ip)?
You can track users’ real time location by using Google Maps APIs, I hope below links will help you.
Using Google Map Tracks API
https://developers.google.com/maps/
Second question: hosting offers both ssl certificate with dedicated ip
and without dedicated ip. Which is the difference? Well, I know what's
a dedicated ip, but for my needs (website + this small app) which
advantage could I have from a dedicated ip?
In the past, SSL requires dedicated IP to secure web applications. But in the mean time, SSL doesn’t require dedicated IP due to SNI technology. If your website hosted on shared IP address, then SNI permits a server to implement multiple certificates on a single IP address.
There are plenty of advantages using a dedicated IP instead of shared IP - read this article
Third question: if I choose a certificate from another CA then I need
root access to server in order to install it, is it right?
Whether you continue with current provider or new one, you don’t need root access of server in order install an SSL certificate.
Last one: some hostings offer SSL with identity verification and
without it, how theese last work? I mean, https should't guarrantee
encrypted connections with a verified website?
All SSL certificates are come with industry standard 256 bit encryption and ensures about encrypted connections. There is varying upon their validation process as below.
Domain Validation Certificates - CA will follow automated validation process and confirm only your control over the domain. You will get this certificate in just minutes.
Business Validation Certificates - CA will check your business existence by verifying official documentations. CA will take 2 to 3 business days to issue your certificate.
Extended Validation Certificates - CA will follow strict validation process and validate legal, physical and operational identity of business. EV SSL will enable most visible sign “the company name in the green address bar”, it will increase trust of your website visitors.
I hope this will helpful for you!
Related
In browsers, is it possible to request javascript for a web-client over https, but have said client connect with a websocket to an IP either:
without ssl
with a self-signed certificate (without previously adding the certificate to the browser)
From what i read, it simply isn't. Mixed content is forbidden, and self-signed certs are not accepted, unless the user goes through a weird and dangerous looking menu, to manually accept the certificate in the browser. It's not like the typical user has the qualification to check a certificate anyways.
This would directly imply, that for this case, encryption cannot be used at all, sadly.
Isn't there something i overlooked? If the websocket connection wasn't over ssl, the client could even just encrypt itself, inside a non-ssl connection. The server it's connecting to won't have a certificate from a CA, it typically won't even have a domain.
Edit: some background
The desired situation is as follows:
a user enters a website, and gets served a client via a secure connection (this is from a static domain, so having a certificate from a CA is no problem here. However, using https apparently disallows non-ssl-connections from that site, and the client accordingly).
the client then opens a websocket connection to a server IP, which may arbitrarily vary (can even be multiple servers at the same time), and typically has no domain. For this, i can only come up with a few scenarios:
no ssl (forbidden, mixed content)
self-signed certificate, preferably the client would get the public key from the main domain, and have that pinned (self-signed produces warnings, and users can't really be required to manually install certificates just for this)
Some CA offers free and automated certificates for IPs, which we can depend on, and just generate new certificates whenever necessary, without any human action needed (i didn't consider this before, because i simply didn't think any CA would offer such a thing. Maybe there is, but so far, i've not encountered any)
I have an app running on a server where I access using the servers ip. But now I need to have a subdomain configured in order to make an external API work but I have no clue of how achieve it.
Now I access to my server using IP -> XX.XXX.XXX.XXX:3000
And I need to change it for something like -> myapp.companyname.com
You don’t, because the Internet doesn’t work that way.
You create the subdomain by configuring the DNS server for the domain to point that subdomain at the IP address.
If you want to change the port number (from the default of 80 to 3000) without putting it in the URL itself, then you need to change the Node.js program or put a proxy server in front of it.
This is indeed a notorious problem with distributed web development. Presumably your API requires you to register your own hostname in some sort of allow-list, and then checks incoming requests for matches to that allow-list. (Why? Cybercreeps.)
You need to find out the IP address of your development machine (not 127.0.0.1, that's the loopback IP and every machine has it). It's OK if your development machine's address is on a private network, like '192.168.0.20for example. Give the commandifconfigand look for the address (it'sipconfig` on Windows).
You then need to put that IP address into a DNS server.
Here's a free way to do that.
Create a FreeDNS account by visiting https://freedns.afraid.org/
Click on Subdomains.
Click the Add link.
Create a subdomain hostname under one of FreeDNS's public domains. Maybe javier.ortega.mooo.com is a good choice
Put your machine's IP address into it.
Then, use https://javier.ortega.mooo.com:3000 to hit your development machine's nodejs app.
You can pay FreeDNS to register your own domain name and use that if you prefer.
The solution I needed was modifying the file hosts from -> system32/divers/etc/hosts and adding there the configuration relative to the ip - domain relation I was lookin for.
We are running an intranet application which uses a self-signed ssl cert.
The customer does trust our CA.
We are using this way since several years.
On some PCs our CA was not imported and the user does get the warning from the browser everyday.
Unfortunately the users do not tell us this, they just say "accept cert" again and again.
Is there a way to detect the trust of the page?
We are running the web application and would like to get a note, if a browser does accept the cert manually. Then we can get in touch with the admin of the PC and send him a hint that a PC does not trust our CA yet.
Maybe it is possible to detect this way JavaScript?
This is good:
We want to get a note if it looks like this:
Update I am not responsible for the client PC. I do not have access to them to install or manage certs.
This is possible, however browser support is not very high at the moment.
If you can live with not supporting anything but chromium based browsers and firefox (these do make up the majority of user agents), you can use
window.isSecureContext
to find out, if the browser trusts your cert.
So in order to log every time someone does not trust your cert you could do:
if (!window.isSecureContext){
//do ajax call
}
The information is not exposed through Javascript (reference Is there a way to get SSL certificate details using JavaScript?).
Depending on the situation, you can:
1) Use a group policy to deploy your CA to all PC's
2) Use other management software to deploy the CA
3) Use an actual trusted certificate authority (by either purchasing a certificate or using Let's Encrypt)
This an non-exhaustive list, so if you have more information about your environment, I can possible give other options.
Please excuse any ignorance on my part, I am very new to SSL and Javascript, so what I am asking may be obvious. I have tried to Google but can't seem to find the answer to my question.
Background
Basically, I have a website, with a subdomain that holds a rental car booking engine in an iframe, which is called from an external location using Javascript. We recently moved to SSL and now the booking engine does not display as it is deemed unsecure by web browsers.
I contacted the company that manages the booking engine and they advised that I needed an SSL for the subdomain, which they can load at their end as well (I bought a single domain, not a wildcard, my mistake), and I needed to purchase a static IP on their server. They sent me a quote for €130 per year for and a static IP.
My very limited knowledge of SSL seems to suggest that a static IP is not required, however I am probably wrong about this.
Question
Do I need the static IP for the SSL to work, or will the wildcard SSL resolve the issue?
I understand that the SSL for the subdomain is required, I just can't find an answer for the static IP.
Basically, I don't fully trust the company as they have tried to add unnecessary charges to invoices in the past.
Thanks in advance
Yes, you have to add SSL certificate to your subdomain to make browsers detect its safe, since the calls will be made to a non SSL domain from a SSL certified domain. I would suggest you to take a look at Lets Encrypt which provides free ssl and you can add as much sub domains as you want. I am using it for one of my projects and have added more than 5 ssl certifactes for subdomains.
First time working with SSL client authentication. The way it works with node.js while mixing with a certificate issued by a third-party CA (in this case it is StartSSL) is confusing me.
On production servers I'm using nginx as load balancer to different node.js instances. Since this is how I had done it before, nginx is handling all the HTTPS work and then passing a plain http request to a node instance. Since it has been deciding to always enforce SSL (for all kind of requests, using HSTS and using simple redirects), I'm considering the possibility to moving into having nginx doing only the balancing and letting the nodejs instances take care of the rest.
So, what I ignore is how to handle this with Node.js?
I found this blog post http://www.gettingcirrius.com/2012/06/securing-nodejs-and-express-with-ssl.html and this other http://blog.nategood.com/nodejs-ssl-client-cert-auth-api-rest
What I don't understand is how to handle both SSL authentications simultaneously. I hope I'm making some sense.
The idea is to generate a certificate for each user which has a CN that I match to a user, then ask for a password that, after bcrypted, should match what is on the database. While, at the same time, using the verification level 3 certificate that works with the CA to improve our users' safety.