Can client certificates be used for authentication without HTTPS, only over HTTP on Windows IIS platform with ASP.NET ?
I need to authenticate a client using a digital certificate and i can't use HTTPS.
No you can't, at least if the client is a web-browser. Moreover, it doesn't have any sense.
Related
Recently I have been working on a website project that allows users to login with their Discord accounts to browse the website with their account.
The website utilizes the Flask-Discord library, Quart as my WSGI web framework, Hypercorn as my production server and Nginx as a proxy to pass web requests to my Hypercorn socket. I have set up an SSL certificate using Certbot-Nginx with Let Encrypt as the Certificate Issuer. However, after users are redirected to the Discord login page, the user logs into Discord and the callback is requested to my Quart Server I am receiving the following error:
oauthlib.oauth2.rfc6749.errors.InsecureTransportError: (insecure_transport) OAuth 2 MUST utilize https.
The website is set up and working correctly with a domain setup with noip temporarily and the SSL certificate valid, making all requests redirect to HTTPS instead of HTTP.
Is it possible that because the SSL certificate is set up with Nginx that the Python OAuth2 library is just unaware of the SSL certificate? It seems unlikely considering all requests are being redirected to HTTPS.
I've found plenty of people recommending to prevent such an error to just change the OAuth environment variables to allow for insecure transport but I don't want to compromise the security of the website.
Any ideas as to why this might be happening would be extremely helpful.
Thanks
This is happening because requests coming from Nginx reverse proxy is in HTTP form. Since you're running Quart app locally at say http://127..0.0.1:5000 and when Nginx makes requests to this URL, its starts with http. So insecure transport is done only from Nginx to your Quart app. You can supress this by setting "OAUTHLIB_INSECURE_TRANSPORT" = "true". More highlight on this: https://github.com/thec0sm0s/Flask-Discord/issues/3#issuecomment-676567390
Is it possible, in general, for a server to require both client certificate authentication and BASIC authentication?
For example, an intranet site of some sort, which requires :
The machine to have a specific certificate installed (client cert authentication), AND
A valid user to log in (basic authentication)
NOTE: this question isn't about a server supporting one or the other, but both together (as in the requester must authenticate both ways)
Yes, it is possible to have both. The client certificate will be verified during the TLS handshake while basic authentication will be done at the HTTP level, i.e. inside the TLS connection after the TLS handshake is done and the client certificate checked.
I am developing an application using IOS/Andriod/Angularjs for client site and Nodejs for server site.
I want encrypt file transfer between client and server for security.
For file transfer between a client and server use HTTPS (TLS 1.2). Everything but the address portion of the URL will be encrypted.
To avoid any MITM attacks you can pin the server certificate in the client.
You can do no better security wise than using HTTPS.
My application is based on Spring framework and is used to transmit very confidential data.During testing of the application with with proxy tools like Fiddler, Paros Proxy etc. it was found that these tools are intercepting the request data, and data is easily modified before reaching the server.
My application is not currently not integrated with SSL . We will implement SSL /HTTPS. but is this because SSL has not been integrated ?
Is it normal for Proxy tools to intercept the data from a web application with out HTTPS ?
There are two things here.
1) If you don't use SSL the communication is not encrypted, which means that anybody who is able to intercept the traffic, will be able to see the content. You don't necessarily need a proxy for that.
2) With an intercepting HTTP proxy you can see SSL encrypted traffic as well. What the proxy does is building two separate SSL tunnels one between the server and the proxy and one between the client and the proxy. This way the proxy itself can see the whole traffic. Of course the proxy can only provide a fake SSL certificate which will trigger a notification in the browser for the user, but he will probably ignore it.
Yes. If you don't use https, Proxy see everything that the application send or received.
To prevent that, you must use https.
To prevent sslstrip you must use HSTS.
As the title explains, I want to see the http requests that are sent by my android app client to my Jersey Web service.
Also, I'm using
https://github.com/kevinsawicki/http-request
class for sending the requests, but I'm not sure if they are SSL encrypted. Can I see if they are encrypted by looking at the http requests that arrive at my Web service?
If you have access to the server on which your web service is running, you can use Wireshark : https://www.wireshark.org/
This will trace and decode the tcp/ip protocol for you, and indeed show you if it's encrypted under SSL.
Assuming you own the server, and have full access, you can also install the Private Key from your server into Wireshark, and it will then show you decoded SSL traffic.