I want to build a website availability checking service that would pass Cloudflare's browser check (aka "I'm Under Attack Mode") that gives a false negative error with isup.me no matter if a website is actually offline or not. Assume that there's no direct connection to the website as well.
Maybe Cloudflare actually has some API to check if a website behind its proxy is online? That would be perfect.
If it doesn't maybe it could be done the hard way. I'm thinking about node-webkit. It's a full-fledged web browser so theoretically it should pass the browser check. But I never layed my hands on node-webkit so maybe I misunderstood. Do you think it is possible and rational?
Any other ideas maybe?
The site owner specifically turned on I'm Under Attack because they were under attack, so what you're looking to do might actually not be helpful while they are under an attack.
Related
I maintain an application written in C++Builder 2009. Part of it involves using a TWebBrowser control (based on Internet Explorer) to send users to a Google login page in order to obtain an OAuth key. This has worked well for a while, but now Google, bless their hearts, has implemented some kind of security upgrade, and now my users get to a page that says "Couldn't sign you in, this browser or app may not be secure". FYI, I am already setting a Registry key that is supposed to make IE run in version 11 emulation mode.
I do have a couple of workarounds: If the user runs IE first in admin mode, signs on, leaves it up while running my application, we don't get the problem. Second, I can start up the default browser - Chrome, IE, whatever - and send them to the URL for OAuth, then it avoids the error message.
The problem with this solution is that without being able to hook into TWebBrowser events, I don't have any way to automatically retrieve the OAuth key - it is necessary for the user to cut/paste it into my application. I'd like to avoid these clunky solutions.
I should also mention, this problem occurs only for certain Gmail accounts. I have no idea what the difference is between accounts that work and don't work. Any ideas on that?
So, is there any way to configure IE or TWebBrowser so this security issue is bypassed? Or, if I was to update to a modern version of C++Builder and use TWebBrowser (or something else?), would this problem be avoided? Any other ideas to fix this problem?
The latest C++Builder supports Google's Chromium engine, it's probably safe to say it'll be compatible with Google's security upgrades.
Powerful Chromium Based WebView Component To Host Web Content In Your Delphi/C++ Builder FireMonkey Apps
I feel that I'm doing something wrong...
GoogleWebAuthorizationBroker.AuthorizeAsync is supposed to open a new browser window, and then user can authenticate himself...BUT! I'm using it on WebServer or even in WorkerRole in Azure cloud, so how technically GoogleWebAuthorizationBroker.AuthorizeAsync can open new browser window on client machine?
This is the second question that I ask, but now it is a more specific question, because I feel that I miss something. The first one has little bit more details on what I'm doing.
I think I am having issues properly understanding your problem, I am not exactly sure this is a problem it seams this is more a question about the inner workings of Googles .net client library and in that case may just be off topic for Stack but lets try this.
You have a web application, for authentication it just needs to show this browser window to the user
That is done by redirecting them to this window.
https://accounts.google.com/o/oauth2/auth?client_id={clientid}.apps.googleusercontent.com&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=https://www.googleapis.com/auth/analytics.readonly&response_type=code
Assuming they click accept the authentication is redirected to your webserver using the Redirect URI where you handle authentication. Its not opening a new browser window on the users PC its redirecting there current page to the authentication then back to your webserver.
Again are you having a problem or is this just general curiosity as to how the client library works?
This is just a quick question really for my own peace of mind more than anything.
When accessing an app hosted on Heroku through https://myapp.herokuapp.com I get a warning in Google Chrome and Firefox (but not Safari) along the lines of:
You have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party.
I don't really want to pay the $20 a month for the SSL-Endpoint addon and was just wondering why these warnings appear and whether there was a way around it/how to find the content that is unencrypted.
I have tried both with and without config.force_ssl = true
Any suggestions? Any help would be appreciated
Turns out that this was an issue with a request from Google maps.
As far as I can remember, they changed their API to allow access over https:// after we began development.
It was simply a case of following the new process that was documented on the Google API page
GMail can used as a SMTP server. I've written the code that does it. But as we all know GMail may occasionally authenticate using captcha (image verification as they call it). The same thing may be the cause to reject SMTP authentication.
As I've seen google shows image verification when you try to log-in for the first time from some machine. All consecutive log-ins from the same machine (to the same account) use regular login. I'm a bit afraid this captcha may also come up again for some other reasons that I can't control.
So. Is it possible to still authenticate when special measures are needed? And how?
I should also mention that logging in from the machine via web browser also enables programmatic SMTP authentication.
Try:
http://www.google.com/accounts/DisplayUnlockCaptcha
Or for Google Apps for your domain:
https://www.google.com/a/yourdomain.com/UnlockCaptcha
I can bet it's an IP based solution, so if your app if deployed somewhere else, It doesn't help.
Google doesn't seem to be particularly clear about what prompts them to block a user's account until he has successfully entered a captcha phrase. However, it's likely that this is a mechanism which is triggered when Google sees what it considers to be unusual or suspicious activity associated with your account. As a result, I would expect it to be unlikely that they will supply an option to opt out of a mechanism which is protecting both them and you, although others are welcome to find evidence to the contrary.
Various discussions of when and how this happens throw up some suggestions which you might like to try to see if they help, such as choosing a stronger password or simply changing your password. Good luck!
IMHO The right way to do this, without implementing the user consent workflow or "hacking your account's security settings", is obtaining a refresh token with the Google OAuth2.0 Playground for Offline Access. After that, you can authenticate using the OAuth 2.0 API.
I got it working after reading Nodemailer/Gmail - What exactly is a refresh token and how do I get one?
I was asked to build a control-system for a Ebay-like Finnish auction-site huuto.net.
The system would reopen closed auctions by a specific rules. It would be completely external from the main site, running at an external website.
The site is however unwilling to release its API and Schema. I know no way to build such a system without knowing its API.
How do you build an internet site without its API and Schema?
You could try some form of automatic browsing: mechanize
Edit:
Examples here.
I think you're asking about building a site that interacts with another site without using a well-defined API. Is that right?
You can interact with an external site without using an official API - in order to do so, you need to imitate a normal site visitor and send your requests to the site frontend (in much the same way as a web crawler does). Tools like hpricot, mechanize and curl can help you parse the content of pages and send requests, but in doing so your system may be quite brittle. Any change to the target site might mean you have to rewrite portions of your system.
It might be possible to get the data you need by screen scraping the site. You could perform the operations you want to do by POSTing data into their forms or using a WebClient type API to make your program act like a web browser but that's likely to be an extremely brittle solution.
Honestly though, without an API, there really is no good solution.
you either need access to the database or an API, otherwise no point in even trying.