We currently have a web browser application that runs only under Internet explorer that we are trying to make cross browser. The main reason for using IE is that we can access the hardware information from an ActiveX control. We would like to get away from this methodology for obvious reasons.
If we forget about the way things are currently being done and go back to the security requirements and look for other ways to accomplish the same thing. The user of the application must be on a known computer that must be in a secure location. I am at a loss on how to do this.
We currently use Protect/unprotect to encrypt the data we need and guarantee that the file can only be decrypted on the same machine. This keeps the user from finding the file and copying it to another machine and running. The file is put on the computer by a separate installation process that can only be run by authorized personnel.
So how do I get a machine specific key of some type that allows me to identify the computer with no chance of being replicated to another computer?
====================================
We are trying to do exactly what the web is trying to keep us from doing, so this may not be doable without specific browser extensions, such as a ActiveXControl.
The USB response is interesting but it does not guarantee location. We do use USB devices for terminals that require 2 factor authentication.
The other possibility is a user or machine certificate installed in the computer. The problem I see with that is the certificate can be exported. We had tried this years ago and the operational overhead was too high.
Related
In an HTML5 web app, I'm building a feature that relies on client-to-client communication (with pusher). It's made of PHP on the server-side and Javascript with Vue on the client side.
The typical scenario is: a window popup is opened, and from there it communicates directly with some other windows opened into any another browser on the same computer. Let's say you have 2 browsers installed, you open the web app popup with Firefox and it communicates with its web app sister page you did open previously into Chrome.
The only (half-)way we have found so far is to use the public IP address to build a private channel named with the IP address… It's basic and efficient.
However, if there is more than 1 computer connected to the same router, all of them will share the same public IP, and that's where things become difficult!
A solution could be to add the computer's local IP to the channel name (that was already built with the public IP), but despite a few nice workarounds I found to get this info from an initiated RTC Connection, this looks quite unreliable and often goes against browsers privacy rules…
Obviously, I cannot use session information with PHP on the server-side, nor cookies / local storage on the client-side, as all those solutions are tightly coupled with the browser itself (thank God Chrome won't share its cookies with Firefox on your computer). Those solutions would be perfect (and no need for a pusher) if we were using 1 single browser, but we need to handle multiple browsers on the same machine.
That's where I'm wondering if anyone would have already dealt with this design challenge and shared some tips, it would be awesome! Thanks for reading so far!
You can check the user agent of the browser.
You can check a combination of the request headers coming from different browsers.
You can explicitly throw and catch an error in the user's browser and send it in the request header/body to determine what browser they're using.
You can do canvas drawings to see the user's GPU/CPU information (since you're already using html5 that's a bonus).
You can directly use webgl to do the same with perhaps different metrics (since canvas uses webgl anyways).
You can check their typing speed or even build up a profile of their vocabulary and use of language.
If you ask for permissions you can see all of their connected media devices like headphones, even just asking for audio permissions will show you all of them.
You can benchmark their CPU with things like the time it takes to find primes or encrypt a key.
You can use audio fingerprinting, which is almost as unique as your voice, since each browser and CPU architecture slightly differ in the digital pattern and oscillations created from audio, which can be captured.
You can check their window size and screen size and screen resolution.
There's probably even more I didn't think of now, you can also use any of them in combination to fingerprint a device.
For more information research browser sniffing and digital fingerprinting. What's more is that you can uniquely identify the user across their own browsers on the same computer and also different users from different devices using a combination of browser sniffing/digital fingerprinting.
In your specific case you can't use all the browser sniffing techniques but you can still use some of them, like the user agent since it will still give you the user device information even if they're using a different browser.
The idea with digital fingerprinting is that you want to build up a probability high enough that you can be fairly certain it's the same user, you can't ever be truly sure, but sure enough. Something like screen size doesn't mean much by itself, there's millions of devices using i.e. a size 1600 screen, however consider the following hypothetical example:
User's device has screen size of 1600, that's i.e. ~1/8 users.
User's device took 20ms to encrypt a 4096 key, that's i.e. ~1/8 users.
User's device took 40ms to draw a canvas image, that's i.e. 1/8 users.
Now you already have a 8 * 8 * 8 = 1/512 probability of knowing what user it is and that value goes up way higher very quickly, based on 3 fundamentally unidentifiable things.
However it should be noted that using any browser sniffing or digital finger printing techniques like above fall under privacy regulations (at least in some countries). A lot of things like the user agent is being deprecated and if you do things like this on a site you'll get into trouble with things like GDPR. I believe you can get around that if you explicitly ask the user for their permission and let them know that i.e. their browser is being fingerprinted. However you have to be careful because doing this can get you in trouble if it's malicious, doing things like this without a user's knowledge is unethical.
I have a website and I need to know which device is used by my users.
Is there a way to know which device is used by a user on a website?
I know some website like webkay.robinlinus can demonstrate all a browser knows about a user.
The best will be to have the device (iPhone/Android) and the type of iPhone (8/XR,etc..) would be perfect.
Thank you for your advices
Is there a way to know which device is used by a user on a website?
No, there is not - this is by-design and is to protect the privacy of web users.
What you can do is use long-life'd cookies or use localStorage to track users on your own sites (origins) - though you'll need to ensure you comply with relevant privacy laws in your jurisdiction.
For web-applications accessed from a desktop browser, you can ask your users to manually download and install software that would run a broker-process or other helper utility that runs a webserver on localhost which your web-application could communicate with to identify the client - but be very careful as this may introduce security and privacy risks and vulnerabilities. This approach is used by Dell to allow their website to read your computer's Service-Tag through the web-browser, and by some of Microsoft's support websites as well. But I stress the importance of exercising extreme caution when implementing this because you don't want other websites or applications using your client-side program.
var x = "User-agent header sent: " + navigator.userAgent;
Send navigator.userAgent in the head tag
This saves the device and browser of the user
For More Reference Check W3schools
https://www.w3schools.com/jsref/prop_nav_useragent.asp
I've developed interactive content for a client ( VR Objects ) using javascript and Flash (if needed) that they now want to distribute to prospective customers via a flash drive. That makes it local content causing security issues especially with IE. Actually there doesn't seem to be much problem with any browser except IE. True, IE displays the "allow blocked content" button but they fear that is too complicated or scary. And on IE11 in Win 8.1 it still may not work.
The development environment I use has a way around that for testing using an "embedded web server" although all that seems to do is produce a localhost address such as http://localhost:60331/wyj-01xn/output/surfacide_flash.html. Paste that in the URL bar of any browser on the same machine and you are good. Try it on another machine and no go. So I gather the port address and whatever the /wyj-01xn/ is about are machine specific. Another possible problem -- it may not work easily with IE11 on Win8.1, but I don't personally have that setup to test.
QUESTION: Is there a way I can produce this same functionality for my client, distributed along with the content on the flash drive, without the need to install some special software (local web server) on each client computer??? The current workaround is to tell customers they should us any browser except IE. Client isn't happy.
You could distribute your webpages along with a portable Nginx server, or wrapped inside a Node-webkit or AppJS package.
I am building a Time clock application for my employer to use with his employees. One of the requirements is to have it take a photo from a webcam every time a user clocks in and out of the system.
Thankfully this is possible using HTML5 and JavaScript and no longer requires Flash or Silverlight.
The problem however, is in this image below....
Since this application will be used on 1 PC and accessed by a large number of users everyday, this is a real problem for my application.
I hope there is a way to permanently authorize permission to use the camera for certain pages maybe or another alternative?
If your app is running from SSL (https://), this permission will be
persistent. That is, users won't have to grant/deny access every time.
http://www.html5rocks.com/en/tutorials/getusermedia/intro/#toc-security
Note, this only applies in Chrome. Each browser may implement the security prompts differently.
I would like to read the browser's "localstorage" when the browser is off using the OS !
I want to save client data in localstorage and then switch off the browser and the internet and then let an OS program (a windows exe) access and analyse that data and then write new data into that localstorage area so that when the browser restars the new data is in localstorage.
This should be possible because my OS (i.e. windows) can read can delete cookies from the browser "files" ... so presumably once i know the format of the localstorage "file" then the OS is boss of all of its files and so it should be able to alter them !
So: how do i read and write to JavaScript/HTML5/DOM "localstorage" using "client side .exe programs" ?
FAILING THAT: is there any other way that the OS can pass simple data into (and out of) the browser ?
Obviously all of this has both huge potential POWER and huge potential DANGER !
The browser can only become the "virtual OS of the future" if the real OS can interact safely with it !!
Thank You.
Of course an app running locally with the appropriate permissions can access any file on disk. However, the real question is what to do with that file once it's open?
Consider the following:
Each browser (Chrome, Firefox, IE, Opera) is likely to store localstorage data in its own proprietary format. You'd have to reverse engineer those formats.
Since those formats are an implementation detail (not a documented API), they are liable to change. This will break your app and/or corrupt user data.
What happens if you modify those data files while the browser is open (even if the page in question isn't open)? The browsers don't expect their data files to change out from underneath them, so it's likely you'd see strange behavior.
All of this is to say that this is a very bad idea. You're messing with the internals of someone else's application; that's a big no-no.
Have you considered an alternative approach? When I was faced with a similar problem, I simply implemented a very simple HTTP server in my app that was bound to a specific port on 127.0.0.1.
With XHR and the appropriate CORS headers, your browser-based application can communicate with your desktop app in a safe manner.
Here are some other ways:
Embed a web browser control in your application. The web browser control can readily peek into the page, and the page can readily peek into the local storage. The web browser control refers chiefly to Internet Explorer.
You can pass parameters from the web page into an initiated executable (even a batch file) by manipulating the name of the executable. (Use application/bat as Content-Type to invite the OS to run your program when the user downloads it.)
A ClickOnce program initiated from the browser can readily receive data from the webpage.
You can use automation in your program (AutoIt, AutoHotKey) to copy/paste to an from a field on your web page. You can find the window by title as you control the title on the web page side. You can even automate opening a browser, navigating it to a page that dumps the local storage into a text field, and focuses the field.
ActiveX controls (good luck)
I can't speak for similar tricks for OS X or Linux.