When I try to look up some pages, I get the following:
Your connection is not private
Attackers might be trying to steal your information from www.xxx.com (for example, passwords, messages or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
Back to safetyHide advanced
This server could not prove that it is www.xxx.com; its security certificate is from *.herokuapp.com. This may be caused by a misconfiguration or an attacker intercepting your connection.
Proceed to www.xxx.com (unsafe)
What should I do to prevent this? Somehow google has https, but I know I haven't paid for a certificate and everything runs off http, but pages are indexed in google as http(s).
You must use the SSL Endpoint addon.
Heroku use a default *.herokuapp.com certificate. For custom domains, you must use the adon.
https://devcenter.heroku.com/articles/ssl-endpoint
Related
I have multiple Web Servers (mostly IIS & Apache).
Some of them are configured to allow only clients with a specific certificate. Moreover, we have users that have multiple certificates for the same web server which allows different actions to be made.
Ex : Certificates that are used only for highly privileged actions and some for everyday use.
We do not use the operating system certificate store for compliance issues.
I have made the following python code which works by specifying the wanted certificate :
import requests
response = requests.get("https://myserver-dns-name.com", cert="./ClientCert.Key")
I tried fetching the server certificate and look for the following enhanced key usage oid 1.3.6.1.5.5.7.3.1 (TLS Server Auth) but not all servers have it specified.
I tried using the Python ssl library and handle the handshake but the library doesn't seems to allow it. What I wanted is have a callback when the server sends a certificate request to the client.
What I want to know is if its possible to detect from the client that the server have client authentication enforced in Python or any other languages?
I want to implement the same behavior as chromium in Python (Showing a certificate selection dialog as seen here ssl_client_auth_handler.cc)
I'm wanting to implement SECURE_HSTS_SECONDS to my Django settings for extra security - however the warning from the Django docs is making me abit scared so I want some clarification. Here is what is says:
SECURE_HSTS_SECONDS
Default: 0
If set to a non-zero integer value, the SecurityMiddleware sets the HTTP Strict Transport Security header on all responses that do not
already have it.
Warning:
Setting this incorrectly can irreversibly (for some time) break your site. Read the HTTP Strict Transport Security documentation first.
What has to happen for it to "break my site"? I read the HTTP Strict Transport Security documentation first and it didn't make it any clearer.
HTTP Strict Transport Security
HTTP Strict Transport Security lets a web site inform the browser that
it should never load the site using HTTP and should automatically
convert all attempts to access the site using HTTP to HTTPS requests
instead. It consists in one HTTP header, Strict-Transport-Security,
sent back by the server with the resource.
In other words, if you set the value of SECURE_HSTS_SECONDS to e.g. 518400 (6 days) your web server will inform your client's browser the first time he visits your site to exclusively access your website over https in the future. This applies to the entire defined period. If for any reason you no longer provide access to your website over https the browser couldn't access your services anymore.
Therefore, you should initially set this variable to a low value of like 60s and make sure that everything works as expected, otherwise you could prevent yourself and your client from visiting your site.
Browsers properly respecting the HSTS header will refuse to allow
users to bypass warnings and connect to a site with an expired,
self-signed, or otherwise invalid SSL certificate. If you use HSTS,
make sure your certificates are in good shape and stay that way!
Source
I would like to implement a transparent IMAPS (SSL/TLS) proxy from zero using python (pySocks and imaplib).
The user and the proxy are in the same network and the mail server is outside (example: gmail servers). All the traffic on port 993 is redirected to the proxy. The user should retrieve his emails using his favorite email application (example: thunderbird). The proxy should receive the commands and transmit it to the user/server and should be able to read the content of the retrieved emails.
However, as the traffic is encrypted, I don't know how to get the account and the password of the user (without using a database) OR how to read the content of the emails without knowing the account and the password of the user.
After few days looking for a solution, I still don't have any track. Maybe it is not possible ? If you have any track, I would be happy to read it.
Thank you.
You must implement your proxy as a Man In The Middle attack. That means that there are two different SSL/TLS encrypted communication channels: one between the client and the proxy, one between the the proxy and the server. That means that either:
the client explicitely sets the proxy as its mail server (if only few servers are to be used with one name/address per actual server)
the proxy has a certificate for the real mail server that will be trusted by the client. A common way is to use a dummy CA: the proxy has a private certificate trusted by the client that can be used to sign certificates for any domains like antivirus softwares do.
Once this is set up, the proxy has just to pass all commands and responses, and process the received mails on the fly.
I acknowledge that this is not a full answer, but a full answer would be far beyond the scope of SO and I hope it could a path to it. Feel free to ask more precise questions here if you are later stuck in actual implementation.
We've decided not to use SSL anymore and unfortunately our server guy has quit and now I need to fix this. I've revoked the certs from Comodo, removed the SSL app from Heroku but that was apparently not enough and now we have serious problems with our site.
When visiting inteokej.nu one gets redirected to the app, but automatically http turns to https and instead of showing the domain (inteokej.nu) the app link is shown https://inteokej.herokuapp.com (I want inteokej.nu to be shown, not the actual app link).
That is a problem but not the biggest problem, which is that it's not possible to use the site anymore (e.g login, the static pages works though). When I try to login I first get a https security error and when I proceed I get to the following page: https://www.inteokej.nu/cgi-sys/defaultwebpage.cgi ("Sorry! If you are the owner of this website, please contact your hosting provider: webmaster#inteokej.nu").
I've now learned the hard way that SSL is a complex thing but I really need to get this site up again as soon as possible. So, where should I start and how could I proceed from this point? I guess there's some back end coding that should be done in the django code as well?
Thanks a lot in advance!
Your issue doesn't seem to be with SSL but DNS or at least however your server guy set things up.
The error page you're seeing isn't a Heroku error, inteokej.nu isn't being hosted on Heroku but on a server run by your DNS provider svenskadomaner.se .
If you use the Firefox Live HTTP Headers plugin you can follow the request/response cycle and you'll see that there is a 301 redirect from www.inteokej.nu to inteokej.herokuapp.com (probably an .htaccess redirect).
Check the DNS records for your domain (like here http://viewdns.info/dnsrecord/?domain=inteokej.nu ) you'll see that there is no CNAME record to Heroku, only an A Record to 46.22.116.5 which is an IP Address owned by svenskadomaner.se.
So the thing to do is to set up the custom domain as recommended on Heroku's site:
https://devcenter.heroku.com/articles/custom-domains
and set the CNAME to Heroku's recommendation.
One reason your server guy might have set things up like they did is that Heroku doesn't easily allow "naked domains", so people often do .htaccess redirects from example.com to www.example (which does work easily with CNAMEs).
Good luck!
Twitter, Facebook and some other websites are blocked in my country.
And I want to call the open API to do some hacking. I have searched but it can't solve my
problem. Any python libraries can help me sign the OAuth request through proxy and get
the access token ?
Thanks.
I am guessing you will have to set up your own proxy service for this, i.e set up your entire API and OAuth logic on a server outside your own country. If you call this proxy service from within your own country it is probably not apparent that you are actually communicating with Twitter.
You will need some sort of cryptographic layer between your client and your proxy/relay service though to make it somewhat secure/obscure. Your own request signing mechanism so to say, and your proxy/relay endpoint should definitely talk (HTTPS/SSL).