P.S.: Also I don't see a way to get access to the key - it is compiled into the binary and on top of it it's triple-secured/encypted. This is what we made sure of course. We had lot of talks with several security experts and the common opinion was "well - it's all localhost traffic which per se is secure. So here we basically have to make sure that the browser is not complaining".
-- http://www.carot.de Email : alexan...@carot.de Tel.: +49 (0)177 5719797 > Gesendet: Sonntag, 02. August 2020 um 20:12 Uhr > Von: "Alexander Carôt" <alexander_ca...@gmx.net> > An: "Thiago Macieira" <thiago.macie...@intel.com> > Cc: interest@qt-project.org > Betreff: Re: [Interest] wss:// on localhost > > > I don't think this is a good idea. You might be violating the terms of > > service > > of your certificate provider by doing that. Please check with them. > > In fact I already did - nobody has a concern about it. This traffic is > completey running on localhost - so nobody apart from the user itself is > affected. This approach simply shall satisfy the browser to launch the > localhost websocket. > > Best > > Alex > > -- > http://www.carot.de > Email : alexan...@carot.de > Tel.: +49 (0)177 5719797 > > > > Gesendet: Sonntag, 02. August 2020 um 19:24 Uhr > > Von: "Thiago Macieira" <thiago.macie...@intel.com> > > An: interest@qt-project.org > > Betreff: Re: [Interest] wss:// on localhost > > > > On Friday, 31 July 2020 23:53:08 PDT Alexander Carôt wrote: > > > Eventually we figured the ideal solution: > > > > > > We ordered a certificate for a sub-domain of our main domain and made the > > > DNS point to localhost. > > > > > > This way we can address our localhost connection via > > > > > > localhost.ourDomain.net > > > > > > This works perfectly without any user interaction - thanks a lot to all of > > > you for you inspiration ! > > > > > > Of course now I have to deal with the tiny details which I will raise in > > > another email in a bit :-) > > > > I don't think this is a good idea. You might be violating the terms of > > service > > of your certificate provider by doing that. Please check with them. > > > > I can see a big attack vector with the information you provided. Since this > > certificate's private key is distributed with your application, anyone who > > has > > this application can extract the private key and create a web service > > impersonating this domain name. If they can compromise DNS at any level > > leading to the user (your server, the user's ISP or locally on their > > machine), > > they can redirect traffic to this domain to their servers on the Internet. > > And > > since the certificate is trusted by the browsers, they wouldn't be able to > > tell something was wrong. > > > > So PLEASE reanalyse your solution. You MUST NOT ship the private key with > > your > > application. That key must be generated on the user's machine. > > > > -- > > Thiago Macieira - thiago.macieira (AT) intel.com > > Software Architect - Intel DPG Cloud Engineering > > > > > > > > _______________________________________________ > > Interest mailing list > > Interest@qt-project.org > > https://lists.qt-project.org/listinfo/interest > > > _______________________________________________ > Interest mailing list > Interest@qt-project.org > https://lists.qt-project.org/listinfo/interest > _______________________________________________ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
