0

I'm playing with JavaScript and I know that webcrypto API is not available without https but I want encipherment capability between a web server on LAN and a browser. Using https with a self signed certificate will display a ugly warning message to the user that makes it unsuitable for my use case. I've also tried to embedded an iframe in an https web page hosted online with a valid certificate using a service worker so that the encryption is done by the parent page of the iframe through postmessage api but when the https page go offline the subtlcrypto API become unavailable on some browser.

So can you propose some hacks please?

Please don't kill me, I'm a beginner.

echo test
  • 101
  • 1
  • 10
  • 4
    you can get a non-janky letsencrypt cert for free to kill the annoying message using https. As-is, anyone along the way can replace the functionality of your code, steal keystrokes, see the traffic, etc. – dandavis Oct 21 '19 at 20:17
  • 4
    This isn't really the place for getting help with network infrastructure. That being said, if you have a domain registered then have you considered taking a look at Let's Encrypt? You could get a free SSL/TLS cert using their certbot with very little effort. I use them for personal websites and they auto-renew without my having to intervene in any way. – B. Fleming Oct 21 '19 at 20:17
  • Can the Let's Encrypt provided certificate be used on LAN?. Also, what is the good place to get help for network infrastructure? – echo test Oct 21 '19 at 20:22
  • 1
    I don't believe it can, no. If you want a CA to work on a private network with no outside access, then you would probably need to roll your own CA (and there are quite a few resources online detailing how to do so). Alternatively you could look into the possibility of configuring your firewall to whitelist only the `/.well-known/acme-challenge` path for public connections. Other alternatives may exist. Your best bet for help within this problem domain is [SuperUser](https://superuser.com/). They should be able to better answer your questions :) – B. Fleming Oct 21 '19 at 20:52
  • A Let’s Encrypt certificate can be used on a LAN if you control the domain name. – Ry- Oct 21 '19 at 22:10
  • @Ry Would you please point me to a resource or explain me how to achieve that goal? A.K.A using Let's Encrypt certificate on LAN ? – echo test Oct 22 '19 at 03:43
  • @B. Flemming , the CA itself is not really a problem, if I use my own the browser will always show its ugly warning. And I think, thinking about a programmatic certificate injection in order to make it trusted by the browser may be a big security threat and I don't even know how to do it. – echo test Oct 22 '19 at 03:51
  • @echotest: If you can expose an HTTP server that your domain name is publicly pointed to to Let’s Encrypt each time it renews *or* write public TXT DNS records, you can use the corresponding Certbot verification methods. Then move the certificates from the device running Certbot to the device you need the certificates on. Be aware that the IP address you run verification from will be logged publicly. (Certbot doesn’t need access to your private key to do this, either, if you know how to make a CSR.) So look into Let’s Encrypt and if you run into a specific problem, feel free to ask about it. – Ry- Oct 23 '19 at 14:17

2 Answers2

0

Using https with a self signed certificate will display a ugly warning message to the user that makes it unsuitable for my use case.

You want Let’s Encrypt. You can use Certbot to get free TLS certificates. Certbot will even renew them for you.

If you want to try to continue without HTTPS at all, please don't. It's a foolhardy idea.

HTTPS is good and free; use it!

Ry-
  • 218,210
  • 55
  • 464
  • 476
Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206
0

The only way to avoid the ugly warning displayed by the browser is to have a certificate signed by a CA trusted by the browser. So you can roll your own CA as suggested by B. Fleming, but this is a lot of work to maintain and make it trusted on all major browsers.

The main and decisive security thread I have found is the ability for any attacker to control the code of your embedded crypto library by using something like a MITM attack.

So as others suggested, using a Let's Encrypt certificate is a good idea, but you will have to define a domain name you control for each of your LAN servers (may be changing only subdomains) and bind it to a local IP address on your router.

Also, be aware that other attacks exists and a single point of failure is very dangerous in this kind of configuration.

echo test
  • 101
  • 1
  • 10