so I have been having trouble with grabbing information from a device that is interfaced with via https due to the fact that it has an invalid security certificate. I know the device is to be trusted and I don't have access to the server-side so I can't change it. I was wondering if there was any way to set up an XMLHttpRequest object in Javascript to just ignore an invalid SSL certificate and just grab the information anyway. As it is now it seems to just reject the certificate and stop. Thanks.
Well I had found this solution before but it didn't work, this was because I was still using actual XMLHttpRequest though. When creating it using this statement:
httpreq = new ActiveXObject("Msxml2.ServerXMLHTTP.3.0");
There is a method called setOption that is opened up for use:
httpreq.setOption(2, 13056);
With those parameters, the request now ignores the invalid certificate and grabs the information anyway. If I understand correctly this won't work with any non-Microsoft technology trying to run the script, but that's ok for the scope of my project.
No, there isn't. XMLHTTPRequest doesn't allow you to override that. Being able to override SSL security might make sense in your case, but if you think about it, it would be a bad idea in general. You'd never want to allow arbitrary javascript code on the internet to connect to a supposedly secure service that the js host (the browser) knows has a possible MITM issue.
I know the device is to be trusted
Yes but you don't know whether you are really connected to the device.
That is the purpose of the certificate. That's why it has to be valid.
Related
Though we can get the hostname from the javascript by using window.location.hostname but the other user can download the js and pass it as constant valid hostname, I'm working on something for which I need to know where the script is hosted and the user of that js cannot spoof it.
One more solution which i thought of is using request.headers.origin but that also can be spoofed.
Is there any such solution by which I can get the hostname where the js is hosted so that I can restrict unauthorized use of js hosting.
I tried googling but couldn't find any solution. The solution which most people suggest is to obfuscate the js code after passing it from js only.
Can we do better?
You can't.
Everything that happens in the browser is entirely under the control of the user.
If you don't trust the user, then you can't trust any information you get from the browser.
You should find a source for the information that doesn't depend so heavily on the browser (e.g. generating the information server side and then associating it with information from the browser via the use of a session).
I am developing a firefox addon, and I need to make https calls. I am given an SSL certificate information (Serial Number, SHA1 Fingerprint, andMD5 Fingerprint). When I try to use the Request module from my main.js I always get a status of 0. I tried the Request module with other http requests which are not secured and it works fine.
So I assume that the 0 status has to do with the SSL certificate.
Although I try to simulate the same requests using Dev-HTTP-Client google chrome plugin and it works fine and I can get proper responses from the https server.
I am not sure but I think I need to use the chrome module Cc["#mozilla.org/security/... to make this work.
If you can guide me with the proper steps to setup the SSL certificate information from inside the addon that would be great
Unfortunately there is no direct way to verify a cert manually and continue with the request. Instead you need to add an override on error yourself and retry.
Attempt to make a regular XMLHttpRequest via nsIXMLHttpRequest. There is enough code and samples around on SO and Google describing how to do it. The requests module won't do, as it hides some necessary details.
Implement nsIBadCertListener2 and stuff it into req.channel.notificationCallbacks (might want to preserve the original callbacks).
If your .notifyCertProblem() get called, that means the cert did not verify. Now it's up to you to verify the cert with your seeded fingerprint (and serial).
If your seeded infos match, add a cert override (that won't work for STS hosts, of course)
Re-spin the request after adding the override, as the first request already got canceled as soon as it hit notifyCertProblem().
Most of the stuff is neatly demonstrated in ErrorPage.jsm of Boot2Gecko (still applies to all other mozilla powered products). That's a cross reference, so click around ;)
Of course, you'll need to use the chrome module.
I should mention that it is deliberate that I'm not giving a complete copy-pasta code solution, only all required pointers, as it is my opinion that a person should be capable enough to work with what I provided, or don't touch security subsystems in the first place.
I have a site which makes AJAX JSONP calls to a secured (SSL) web server. If I use a unsecured (HTTP) web server , everything works fine, but when I change to the SSL version, the call never returns. I've checking with fiddler and the error is following:
The remote server (192.168.150.85) presented a certificate that did not validate, due to RemoteCertificateChainErrors.
This means that some intermediate certificate is missing, but I don't know which one. In any case I need to deal with the situation where some installations has invalid certificate credentials.
It is known, that if you try to execute an AJAX method against a secure URL with a non-trusted or expired certificate the browser will warn your user about that, regardless of how or what you're trying to do. In browser you can accept the risks, even in C# you can implement a callback to accept these risks as well. But I don't know how to do it in Javascript/JQuery.
Do someone have an idea about how to handle this situation?
Thanks!
It seems that this is not possible/recommended. It is indeed not a good idea. We work now with real certificates which is quite cheap (there are even free ones) and easier to manage in our test environment, where we have several mobile devices, types of clients and so on.
I am working on a project right now that requires some javascript for the proper functionality we are looking for. The problem we are running into is that the clients of this web-based app can only access the site through a proxy server (due to strict policies). This proxy server is stripping the javascript from the page and we are unable to replicate the exact proxy setting to determine a solution. Has anyone ran into this problem before and found a solution?
If there's a fixed set of client machines, and you can go for Firefox only, you might be able to do something using a Firefox extension or a bookmarklet that fetches the Javascript some other way that the proxy doesn't recognize (e.g. as base64 encoded data). It would however certainly require a load of work, and you may have to program the extension yourself... Probably cheaper to buy a new Proxy.
Some of our customers had these problems and we told them to access our app via HTTPS and that cleared the issue since most proxy won't filter secured traffic.
I have a problem where I cannot identify visitors to my intranet page because their browser is configured to use a proxy, even for the local intranet. I always see the proxy IP and no other details about the client. The SOE that my company uses has the proxy set up already for Firefox and Internet Explorer, and I cannot ask them to reconfigure their browser because that is fairly complicated. I have tried using the PHP $_SERVER['REMOTE_ADDR'] and also one called $HTTP_SERVER_VARS['HTTP_X_FORWARD_FOR']. In fact, I wrote a page that lists both the $_SERVER and $HTTP_SERVER_VARS arrays and there was nothing informative of the actual client connecting. This is why I think it needs to be done on the client's side.
I'm not looking for a secure solution because it is only a simple page, so I was hoping that I could use Javascript or something similar to find something revealing about the client and send it to my intranet page as a GET variable. It's basically for collating statistics. It is no use telling me most of the visitors are a proxy! :)
I also want to avoid having users log in if possible.
You could use a cookie with a random, unique ID that's set upon the first entrance, and then used for identification. Could be done either in JavaScript or in PHP.
I am pretty sure there's no universal way to do this otherwise the whole concept of anonymous proxies go down the drain :)
My advice would be to ask your IT department to configure the proxy to populate the HTTP-X-FORWARD-FOR, REMOTE-ADDR or some other identifying header.