Tryinng to understand why some Java applications, browser applications ( e.g. Firefox) and other applications(e.g. Docker) have their own trust store. Why cannot they rely on the OS certificate store ? What are the factors to consider when a application level trust store is needed or not.
Related
I'm trying to communicate a web application with a desktop application and I'm trying websockets.
The desktop application will be the websocket server, and the web application is the client.
Customers will have to download the desktop app (available for Mac, Windows and Linux) and install in their own computer. The desktop application is just a 'print server' to print POS tickets directly, without browser's confirmation, open cash drawer, etc.
So, the websocket client will connect to wss://127.0.0.1 (own user desktop).
Ok, the application is working perfectly with a self signed SSL certificate, but... Is it enough for production?
I mean... What type of certificate do I need for this? Can I buy a SSL certificate for the 127.0.0.1 address?
Can I use a free self-signed certificate? Do browsers accept it?
I have developed the server desktop application for Mac, Windows and Linux (and the web app for the client side) and just need a proper certificate to release the service!
My software is intended to run on a Raspberry Pi.
After installing my software, a user can navigate to the webpage hosted by my software running on their Raspberry Pi from any device on their LAN.
I want my users to not have to worry about generating SSL certificates and such. Just install my software on their Raspberry Pi and navigate to the dashboard.
I can make my software automatically generate a self signed SSL certificate on the first run, but the users get warnings about self signed certificates in their browser and the site shows as insecure.
If I make my software use http instead, then chrome won't store cookies from the site so the users login doesn't last longer than one refresh.
I obviously can't distribute a CA signed certificate with my application since:
Anyone can get hold of this, so it won't be secure
It wouldn't work anyway since different users will have their Raspberry Pi on different IPs and hostnames
Is there any solution to be able to use secure HTTPS in this situation without getting warnings from browsers?
It's debatable whether this is a development question or not (it clearly isn't programming); personally I would say yes. However, it is certainly more topical in other Stacks where it has been discussed extensively e.g.:
https://serverfault.com/questions/1060268/ssl-for-devices-in-local-network
https://serverfault.com/questions/906015/how-to-setup-ssl-certs-for-a-lan-web-app-server
https://serverfault.com/questions/964119/enable-https-on-a-private-network
https://serverfault.com/questions/573528/ssl-tls-cert-get-alternative-name-to-work-with-lan-ip
https://serverfault.com/questions/447753/ssl-certificate-for-local-web-server
https://serverfault.com/questions/833178/ssl-with-no-warning-for-local-ips
https://serverfault.com/questions/1018020/distributing-ssl-certificates-to-all-browsers-in-an-active-directory-environment
(some focussed on Windows and especially AD though)
and:
https://security.stackexchange.com/questions/121163/how-do-i-run-proper-https-on-an-internal-network
https://security.stackexchange.com/questions/227020/is-https-required-for-local-network-server-to-server-communication
https://security.stackexchange.com/questions/251308/do-i-need-to-create-ssl-for-https-over-a-local-network
https://security.stackexchange.com/questions/103524/lets-encrypt-for-intranet-websites
https://security.stackexchange.com/questions/124235/deploy-intranet-application-with-ssl-certificate
I did find a few here, though, from years ago when topicality was wider:
HTTPS over intranet, what is the correct way of doing it
Are certificates useful for intranet SSL?
Do I need a SSL Certificate for an Intranet application
We are developing a JavaCard-based security sensitive application. Our goal is to allow client code communicating with a GlobaPlatform 2.2+ based JavaCard applet to convince itself that it's actually talking to a specific (and verifiable) version of the JavaCard applet it needs to talk to. In other words, we are looking for a "platform integrity" mechanism to be sure there's no possibility that the JavaCard applet code was substituted/modified by "insiders" (e.g. even us who developed the applet).
At first we were hoping to use an Installation Receipt mechanism as described in the GP specification, but we were advised that this doesn't apply in that case.
So is there a way for client code to query the card about the authenticity (e.g. a simple hash) of the applet codebase (i.e. the installed .cap file) without having to query and trust the JavaCard applet itself?
at the same(=identical) youtube url I get three different messages (see attached picture). Video is available for IE and Chrome. Most puzzling to me is that I have a private key of certificate for the server (IE version). I probably do not understand something.
Internet Explorer: Microsoft Family Safety is known to intercept SSL connecitons. That's why you see the certificate for google signed by Microsoft Family Safety and because the private key for the certificate is needed for SSL interception you see that the private key is available on the computer.
Firefox: Firefox uses the system proxy settings and thus is also subject to SSL interception. But Firefox does not use the systems CA store and thus the CA for Microsoft Family Safety is not trusted by Firefox. That's why you get the error.
Chrome: Chrome uses the systems CA store and should also use the systems proxy setting by default. But the picture shows that Chrome gets the original certificate. The only explanation I have for this is that this snapshot was either done on a different computer with different setup or that the settings of Chrome were changed so that it does not use the system settings any more.
I would like to do Symbian programming with features that require an application to be signed with more then the standard self signed cert. I don't want to pay mony for a cert since I don't know if I will get to a point of selling an application. Is there a way to grant capabilities such as read and write device data to my application for use on just my phone?
If you don't have a Publisher ID the only option for you by now is Open Signed Online.
Open Signed Online allows you to sign an application for installation onto a single device. Unfortunately you will get the signed application, not a certificate itself.
Aside from Open Signed Online, which is pretty hopeless when you want to debug on the device, the only options at the moment are to find someone with a publisher ID to create a developer certificate for you device via Open Signed Offline, or wait for Symbian to come up with another way to get you a developer certificate. They are already planning to make publisher IDs cheaper and easier for individuals to get (currently you need to be a registered company) and wider availability for developer certificates is also on the cards.