I'm new to using SSL Certs and am having trouble getting help from the Service Provider I'm connecting to. I'm using PHP on the backend to handle the connection.
The setup is as follows:
User enters details into form, ajax sends the details back to Our server
Our server then connects using curl to 3rd party service sending away data in XML format
The 3rd party server replies with the data
Our server responds to the browser
Now the problem I'm having is figuring out who has to do the SSL cert, they are saying that I need to buy and install an SSL cert to connect to their server but I thought that it was the server receiving the connection that needs to handle SSL? If I brought an SSL cert wouldn't that only allow me to setup a secure connection between our server and the client's browser?
Please help before I lose my mind!
Thanks
Mark
You need to secure the Ajax connection between the browser and your server with a SSL connection if you are transferring sensitive data.
Edit: Sorry, I only answered your second question. The SSL certificate is configured by the entity whose server is being secured, so no you would not purchase a certificate to secure the call to THEIR server (Steps 2 & 3). But your Ajax call is totally on your end between your client's browser and your server, so you'd need one for Steps 1 & 4.
Related
I had built a website as a dashboard (using 000webhost) to change the data in mySQL database via php which was working fine right now. After that, I have a Unity WebGL build uploaded on itch.io which was working fine as well until it need to get data from the database via php. When I was intended to get the data via accessing php files store in the 000webhost server, I got the following error show up in the web console from the accessing website.
Mixed Content: The page at 'https://.itch.io/' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://:54998/'. This request has been blocked; this endpoint must be available over WSS
The link I was using to access the php files was using https instead of http. I am still new to these area, I would like to know can I change the WebSocket endpoint to wss instead of ws? Do I need a paid plan to solve this? I did saw that the Single Hosting plan did offer free SSL certificate. Please help me, I am open for any suggestion/advice, Thank You.
The Websocket Server itself need to setup the SSL Certificate. If it doesnt, you need a reverse proxy like nginx or apache to handle the SSL and forwarding to the unencrypted ws:// websocket.
Anyway, the websocket should run on default port 443/80 as well, since many firewalls are blocking non default ports for security reasons. In this case you will need the reverseproxy if you dont have a dedicated IP for the websocket server.
Use socket.io. Most of the problems are solved and there is no need to do more.
var socket = io.connect('https://www...', {secure: true});
I have a problem connecting to the Fusio interface (api-manager). I installed it in ftp on a shared server. Until then everything is fine, the database is well updated and I have access to the fusio graphical interface. It is when I have to connect to the GUI that it is blocked. I enter my credentials and just after, an alert tells me: "Your connection to this site is not private".
Image of the second connection request
A little more details follow the comment #Luca Stucchi
I want to perform an installation using the mode: "installation script" (as explained in the documentation).
The API Manager is installed on a shared server, I can not use command lines.
This installation mode allows us to install via an ihm. During the installation, everything goes well. The database is well created and I have access to a login page.
But the problem starts now. When I enter my login information a pop-up appears, the message "Your connection to this site is not private" appears.
And I do not know how to avoid this popup blocking.
Why do you see the error
The error message "Your Connection is Not Private" is displayed for various reasons:
Invalid or non-trusted SSL certificate.
Time is not synchronized between the server and the client.
Issues related to browser cache.
AntiVirus/Proxy service blocking or interfering traffic.
Wrong DNS settings.
How to overcome
if it's a non-trusted SSL certificate: try to install it to your Trusted Root store.
invalid SSL certificate: if possible - re-create the SSL certificate on the server.
make sure that the SSL certificate it not already expired or that its validity starts in the future.
Sync your Clock on both sides (server and client).
Clear SSL state: open Internet Explorer -> Internet Options -> Content tab -> Certificates -> Clear SSL state button.
Clear browser cache (Cached images,Files, and Data)
Turn off (temporarly) your AntiVirus/Proxy.
Use some public DNS like google's (8.8.8.8 or 8.8.4.4).
source for most of the ideas.
P.S.
I'd suggest adding a code sample to get more precise answers...
I recently purchased an SSL certificate for a domain, let's call it mydomain.com. I have a login script which I'm using to authenticate against a client's Active Directory service. I have no real access to their server at all, although they have whitelisted my server so that I can verify whether their login credentials are correct or not.
Let's say that the clients enter their login info on a page with URL https://www.mydomain.com/login.php. I have tested the PHP script which I have written using a test account provided by the client, and it does correctly identify whether or not the provided username/password combination is correct. However, is the login information really being encrypted as it is sent? Do I need access to a certificate on my client's AD server to make sure that the login is secure? As I understand it, since I'm the one sending the information to the client, and I have an SSL certificate in place, the login information should be encrypted. I am assuming that all that the AD server is sending to me is basically a true/false response on whether or not the credentials are correct, which should not require encryption.
Is my understanding of this process correct? I'd genuinely appreciate any insight you could provide. Thanks!
Here is the picture I get from you question
web browser --(1)--> your-domian.com --(2)--> your client's AD server
So you have purchased an SSL certificate for your-domain.com, so connection (1) is over SSL and all data is encrypted. However this speaks nothing about the connection to the AD server.
Connection (2) may be over SSL, TLS or be plain connection. In other words you need to check what your login.php is doing behind the scenes to authenticate in AD. If the connection it uses is SSL or TLS your data is encrypted on that stage, otherwise it is not.
So you are correct only in half. The data between the browser and your domain is encrypted, but the data between your domain and the AD server may or may not be.
I have following scenario:
The Android clients communicate with a PHP server via HTTP Post. The PHP server is communicating with mySQL database and sends the output as JSON to the Android client.
Now I am concerned that people sniffing the traffic, find out the URL and will post a lot of grap in my database.
I have no concern of sniffing the payload. So it does not necessarily be encrypted.
I was thinking of TLS/SSL which comes in mind because of the HTTP connection. But I am not sure what is the prefered way to go in this scenario.
What you want to do is employ mutually-authenticated SSL, so that your server will only accept incoming connections from your app and your app will only communicate with your server.
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. You can use the keytool included with the Android SDK for this purpose. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
If someone/something other than your app attempts to connect to your server, the SSL connection will not be created, as the server will reject incoming SSL connections that do not present the client certificate that you have included in your app.
A step-by-step for this is a much longer answer than is warranted here. I would suggest doing this in stages as there are resources on the web about how to deal with self-signed SSL certificate in Android, both server and client side. There is also a complete walk-through in my book, Application Security for the Android Platform, published by O'Reilly.
SSL won't help you, as the traffic can be sniffed before the data hits the wire, and people will STILL be able to figure out your API calls and fill the DB with crap.
You can "secure" the service with access tokens and username/password requirements. But again, they won't prevent a malicious user from flooding your system with bad data. However, it would let you track down WHICH user was doing so, as they'd have to be using a unique access token of some sort to get at your system.
I was wondering if any of you know if it is possible in javascript or php to test if a client has a specific client certificate installed in the browser.
The thing is that we have a server certificate installed but to be recognized by the clients, they need 2 client certificates that make them recognize the authority of the issuer of our server certificate. We would like to test the browser for these 2 certificates, if there are not there, we want to propose the client to download them before to enter in https mode...
Anybody can help? Please detail your answer if you know one.
You can do it client side by using javascript to request a known file from a secured (https) source. if the request fails then it means the client refused to accept your certificate (or another network error) at this point you could popup a message to ask the user to install the root certificate with a link to the root certificate.
This must be done from a non secure page. otherwise the user may refuse your certificate and never load the page to start with and therefore your javascript never runs
It can't be done in PHP because php (which is server side) cannot determine whether the client browser has a particular root ca installed
I however would not do this. get a proper certificate instead.
You appear to have insufficient understanding of how SSL works in general. I suggest spending some time understanding how SSL works and how certificates are used.
DC
to learn about sending and receiving http responses with javascript read this page..
http://www.w3schools.com/XML/xml_http.asp
It can be used to send and receive any text data, not just xml. It is real easy to implement but you must be aware of browser version issues.
DC
what about a warning message that will be hidden by a javascript which will be loaded from your https site.
in the warning message you can link the windows update site or wherever the updated root certifcates can be downloaded to their browser.
PHP is a server side language. If you really want to test this then you need to do it with JavaScript and then send back an AJAX request to PHP.
But I think there is another solution to your problem. Normally when a CA change their name etc. they have usually new "Intermediate Certificates" you can use. (If you have an apache httpd server then you can search for "ca bundle" on their website as well.) With this bundle you can send the new CA certificate along with your certificate.
Forcing your users to download and install a homegrown CA certificate is ugly and hateful. Instead, show them the love and pay the $30 US to get an SSL certificate signed by a reputable, already trusted, CA.