We've written a MVC web application for a client that they're typically interacting with from Windows 10 PCs. They've now asked us for a solution whereby the users can attach a USB device that captures physical signatures, and have that captured signature uploaded via a web page in the app.
While this sounds like a general permissions/privacy no no, I'm hopeful maybe some sort of solution exists out there...?
Thanks
James
there is a WebUSB API for chrome you could used. it's javascript api, you could communicate using ajax for the backend.
https://developers.google.com/web/updates/2016/03/access-usb-devices-on-the-web
Related
I've been basing my project on the discover services and characteristics sample project:
https://googlechrome.github.io/samples/web-bluetooth/discover-services-and-characteristics.html
I'm trying to log a list of all available services within a device into the Chrome console.
Is there a possibility to do this? Because if I don't enter a service ID, I encounter a securityError:
"Argh! SecurityError: Origin is not allowed to access any service. Tip: Add the service UUID to 'optionalServices' in requestDevice() options."
I know NRF Connect can detect all services.
So can I retrieve a list of all services from a device, without predefining the services?
Any ideas would be appreciated.
Short answer: No, you have to list the services you want access to.
Web Bluetooth is designed with user privacy in mind, and requires services an application wants to access to be listed in the requestDevice call so that browsers can offer an appropriate amount of communications to users. There is a way to request to connect to any device acceptAllDevices: true, but there is not a way to request access to all services on the device.
When you're developing and need to understand what Chrome can see on a device you can use chrome://bluetooth-internals/#devices. Start a scan to find devices, and then select Inspect. (Only some devices will accept a connection.)
NRF Connect is an excellent and more powerful tool as well.
The current design for Web Bluetooth doesn't support building that level of diagnostic application. More about the security & privacy model for Web Bluetooth is in the Web Bluetooth specification.
One good developer facing article on these topics: https://developers.google.com/web/updates/2015/07/interact-with-ble-devices-on-the-web
I have a bit of a difficult situation in that I need a way for a client connected to an ASP.NET MVC site to sign and decrypt blobs with their private key, such that the server never sees the private key material. In the decryption case, these are encrypted session keys. It is acceptable that the server see the session key, just not the users private key.
That is, I need to present the user some content in a browser, have some javascript (or java applets, or silverlight, etc.) execute client side that communicates with a hardware token on the client, and returns the result to the server.
This is NOT client side authentication. I don't need to simply authenticate via IIS with a certificate. The hardware tokens are HID OmniKey USB readers.
My understanding of the options available are:
1. Mozilla Javascript Crypto - This seems to be the optimal route. It appears that Firefox exposes various smart card events and functionality to remote sites. I see how to sign text, but nothing about decrypting blobs (the largest goal). There seems to be methods for loading a PKCS#11 module, but the documentation seems to stop after that.
2. Silverlight with Elevated Trust - This is my second preferable route, because of familiarity with Silverlight and .NET. Silverlight 5 has the ability to P/Invoke, so I could always call the PC/SC modules, but this requires running Out of Browser, which I can't do. There seems to be some posts about running a Silverlight app In Browser with elevated trust, but this is a global setting, and so I don't want to diminish security for other applications.
3. ActiveX - An ActiveX component can interact with the PC/SC module, but this would be an Internet Explorer only solution. If forced to pick a required browser, I'd prefer Firefox or Chrome.
3. Firefox/Chrome Extension - My understanding is Firefox XPCOM is C++, and I can just directly call the PC/SC libraries, and the extension can interact with scripts/DOM on the remote site. I'm not sure how the remote site though can trigger a Firefox extension. In other words, how does the remote site tell the extension "ok, it's time to sign"? One such example of this route is XSign (though it doesn't use hardware tokens).
4. Java Applet - This might ultimately be the only way to do it. I've found a couple examples/guides, but I'm not familiar with Java. Java Applet for Signing with a Smart Card. In this case, it's just a simple applet that can communicate with the token, and post the results to the site.
Are there other options available? I believe option (1), Mozilla Javascript Crypto is the best approach, but the documentation is beyond sparse. Thanks for any guidance.
I have virtually examined all options. The last option (Java Applet) is the most appropriate for your case and easiest to implement. The downside is that JRE (Java Runtime Environment) should already be installed at client side and plays nice with the browser. User also has to grant permission to the applet to connect to his smart card at first run.
BTW if you want to use PKCS#7, you can use Bouncy Castle. It has no standard API in JDK.
PS: Don't use JavaScript for cryptography. Javascript Cryptography Considered Harmful.
Maybe you could consider just having the clients download a native application and install it (once). You can have them use that app to do the authentication and negotiate a session key with your server - the app could then launch a browser with the session key in the launch url. "Native" apps could probably be not that native - use java or .net (if you're windows only) or python etc.
I am developing a flex 4.5 web based application and I need to make sure if the client chooses a certain level of security, each user can log only from an authorized computer.
So the question is how can I get some unique computer information? Anything like HDD serial number, CPU specifications, motherboard information, even the user that is logged into the Operating System can do.
So far the information on the web isn't giving me much hope that this can be achieved, but I had to ask.
Thanks in advance.
I suppose the only option available for web application is to create unique id from fields of flash.system.Capabilities class.
Other strategy which can be used is to generate unique UID in process of computer's authorization and then store it in local storage using SharedObject. Then web app tries to read authorization data from SharedObject on web app start. If there is no such data computer isn't authorized.
Richard is right. For security, unique identifying information is not available for applications running through Flash Player. You could write an Active X control (for IE) or a plugin (for Mozilla based browsers) to obtain additional information for your app if users (and their IT administrators) allow it. Information available will vary depending on the browser and operating system the user is running.
Adobe Air, on the other hand, allows access to additional network information including MAC address in the NetworkInfo class. Maybe it's worth considering an installed client app for users who require the additional security. Take a look at: http://www.adobe.com/devnet/air/flex/articles/retrieving_network_interfaces.html
This is not easy using a browser based Flex application, but there are some workarounds.
The browser based Flash Player can communicate with an AIR app on the desktop using localconnection. So, you could create an AIR app that utilizes NativeProcess to retrieve your machine specific information.
You could also use NativeProcess from a AIR app without using the browser at all.
A third option would be to install an application server on the client machine and have the browser based app communicate with the server to retrieve the client information.
I consider most of these options too difficult to be practical, but it depends on how important this feature is to you.
The Flash Player security sandbox will not let you read anything unique about the system on which the SWF is running, so I'm afraid this is not possible. The closest you will get is likely Capabilities.serverString along with maybe IP address, but the serverString property just lists all the capabilities of the client, which is obviously not a unique thing, and also might change from time to time for the same computer.
Warning: my knowledge of server-side scripting is limited to say the least.
This isn't a technical solution, but rather a different approach to your problem.
An alternative solution to would be to inspect the raw packet at the server in order to obtain data such as the IP and MAC address. Based on this the server can then deny or allow the login attempt.
I am used to working on embedded web servers running on micro controllers where C-based black magic is rather common, so I am not sure if this is possible or practical in a more traditional environment.
Is it possible to embed an external application inside the browser (IE, Chrome, Safari, Firefox) so it will look like a native web application but actually having access to the USB ports of the client machine? I have heard that I need to make an ActiveX control. I would like to use the .Net framework, but if that is not possible, maybe using Java or C++ will be fine.
I have to make an application that will allow to the users to connect an external device to an USB port, this device will take a backup of the information contained in a SIM card and send it to the user's account online agenda. So the user can restore it later using the same application. This should be a web application or at least look like one.
If the first is not possible. Is there any way to launch an external application from all the browsers, and then pass information to the browser window to allow it to refresh after the backup has been made?
Thanks for your help in advance.
First off this seems to be a big security issue and hence this is the reason why you might be finding it tricky.
What I would do is look at it from a different angle; what am I trying to achieve? How is the user going to use the data? Where is the user going to use the data?
From you question I have answered those questions with the following; I hope I've not miss interpretted anything.
I want to copy the data from an external sim card to a central location
I want the user to see this data from the central location; preferablly from a web application.
The user is going to see and use the data from the web app
Assuming all of these things are true; one design option is the following:
1 - Have a client based application which can read stuff from the usb device
2 - Have a secure webservice which the client based application can upload the data too
3 - Have a web application which can view this data and see refreshes
Let me go into bit more detail for each step.
1 - If you write a small client application it is installed or at least runs on the client computer. Due to this it can access the local client resources such as usb and interface with them. This will mean they can read the sim data throuogh this app, buut also potentially save it locally as well as upload the data. To access the web service they would enter their username/password so you could authenticate them for the upload.
2 - This web service would do the authentication from the client application, but also receive the data submitted from the client app. Acessing web services from .net now a days is really straight forward. Using this web service the client application could also do some checking to make sure the data has been updated and it could handle re-tries if the network dropped etc.
3 - The web front end of the system would interface to the same data source. This site would take the username / password to authenticate them on the site, but also let them see the uploaded data. As for the refreshes; if the user is logged in and looking at the data you could have a javascript timer polling an action/service to see when new records have been added etc. This could then display a message through jQuery or similar to notifiy the user. This could be similar to the notifications which StackOverflow gives when you visit for the first time or get a new badge etc.
Hope this helps :-)
I want to develop a web application that will have textbox and button. When the user enters a number and clicks on the submit button, I want to make a Skype call from the host. How can I do this?
Er... you're in for a world of pain. First, sure, your server could possibly make a skype call, but how would you handle the back-and-forth to your user's browser? Tons of custom programming with a rich client framework, that's how.
Better to let the user just use skype themselves. Look into the callto:// URI header for details.
Can't you setup your links with callto:// prefixes? If the user has the option enabled in Skype then the application will be associated with those links.
How to Use the Skype Callto:// Links
Perhaps you could build a link on the fly and initiate a call this way?
You can generate a link with HTML with a callto: address to launch the Skype client and make the call (if the client software is configured to do so), which is hopefully what you're looking for. See: http://chrisabraham.com/2005/05/05/how-to-hyperlink-to-a-skype-call-with-your-skype-contact-id-or-telephone-number/
If you want to actually get into the API, you'll need some kind of desktop C# application and interface with the Skype API, see following for details:
http://share.skype.com/sites/devzone/2006/12/c_example_project_for_skype4co.html
http://www.codeproject.com/KB/cs/skypecontrolapicsharp.aspx
So lets say you did launch a process on the server and automate the skype client on the web server. It then dials your customer via a phone located in the data center and the customer hears .... what? IIS isn't very talkative.
I know this is an old thread but we are getting a few visitors to our site from it. If you want to embed clickable links into your website that work with Skype please use the Skype URIs, see: https://dev.skype.com/skype-uri.
[Skype:echo123?call][1]