So, the situation is: I want to know what path is a program sending the request to. With Wireshark, I can only know that it is sending https request and the corresponding domain but not the path.
I think there could be a way to at least inspect the outbound https traffic even without hacking the program.
Let's say if I run a fake website and redirect the connection to the real site to my local fake site. So the request will be sent to my fake site, and I can create a self-signed fake key pair for my fake site. Install the private key on the fake site, and install the public key on my local machine. Then the handshake should be approved.
But I have several problems:
How to launch a fake https server in the simplest way? Nginx? Or is there a simple solution in Python?
How can I install the public key on my local machine? I'm using Linux Mint 19 which is based on Ubuntu 18.04.
Any help is appreciated!
You may want to check Charles proxy. This a proxy with which you can inspect the outbound traffic (including HTTPS).
In order to inspect HTTPS traffic, it will be required to enable SSL Proxy which means that Charles will dynamically generate a certificate and become man-in-the-middle for HTTPS connections.
Charles signs these dynamic certificates with it's own which has to be added to the trusted storage of the application you use. Various instructions are available here.
Related
I'm trying to create a measurement device which can be controlled with a smart phone.
My situation
The places where I'm using the device don't have any internet connection available.
The measurement device uses a Raspberry PI, which creates a local WiFi network to communicate with the smart phone.
There is a Python webserver running on the RPI.
The smart phone has a PWA installed to send commands to the RPI's webserver.
The PWA is hosted on GitHub Pages (uses HTTPS by default).
After installation the PWA is supposed to work without an internet connection (just uses the RPI WiFi).
My goal is to successfully send requests to the Python webserver on the RPI by using the PWA on my smart phone.
My issue
When fetching the Python webserver within the PWA, I receive a Mixed Content error because the PWA is hosted on HTTPS (and also requires HTTPS) but the Python server is not.
When I tried using a self signed certificate created with OpenSSL, I receive a ERR_CERT_AUTHORITY_INVALID error.
I tried to use Let's Encrypt, but CertBot requires an actual domain. I only have an IP adress, which is the RPI's IP within its own WiFi network.
What should I do?
I fixed my issue by registering a free .tk domain pointing to 127.0.0.1 (localhost) and using Certbot from Let's Encrypt to create a SSL Certificate.
To validate the domain with Certbot I've used the TXT record validation.
In order to make use of the domain without an internet connection I've added a DNS record with the same .tk domain pointing to localhost inside the dnsmasq config file of the RPI.
My python webserver then uses the cert file to establish serving over HTTPS so the SPA on my mobile device won't throw an error when requesting data.
The situation is that a desktop application is needed to be run in the background (an application that would be "hanging around" in the system tray) with an API. For simplicity reasons, I chose Flask to build the API and Python overall to build the desktop part of it. Is this a practical or reasonable way to create a desktop application? The application itself will not be large scale, it will only hold several Python scripts.
Basically, a Microsoft PowerApp will be communicating with this API on the desktop. When a call will be executed from the Microsoft PowerApp to the API, it will be targeting a public static IP address to a specific port, then that will be forwarded to the local IP of the Flask application. I understand that PowerApps requires SSL to communicate with applications. I can figure out how to build the API and desktop part of it, but I cannot figure out the SSL certificates. When I try to generate a certificate through CertBot, it requires me to supply a domain. This situation will not be using a domain, only the public static IP. Does this at all seem logical to do or should a different approach be taken?
Though some SSL certificate providers support issuing certs to IP addresses, do yourself a favor and get the one assigned to a hostname. Just use organization's domain to create a hostname you like.
Alternatively, try entering IP address instead of domain when ordering a certificate.
You can read more about IP-based certs here: Is it possible to have SSL certificate for IP address, not domain name?
I’m extracting the SSL certificate from a website using the socket + ssl library in python. My understanding that it connects using the preferred method used by the server.
Using this method I’m able to identify what version of SSL is used to connect, but I also need to identify whether the website supports SSL v3, in the case when the default connection is TLS.
Is there a way to identify this information without manually testing multiple SSL connections?
I don't think sites advertise what they support. Rather, it's negotiated between client and server.
You could use the excellent server tester at www.ssllabs.com. It will try lots of configurations and report what the server in question supports. (Hopefully the site doesn't support SSL v3!)
I have a beginner PythonAnywhere account, which, the account comparison page notes, have "Access to External Internet Sites: Specific Sites via HTTP(S) Only."
So I know only certain hosts can be accessed through HTTP protocols, but are there restrictions on use of the socket module? In particular, can I set up a Python server using socket?
PythonAnywhere dev here. Short answer: you can't run a socket server on PythonAnywhere, no.
Longer answer: the socket module is supported, and from paid accounts you can use it for outbound connections just like you could on your normal machine. On a free account, you could also create a socket connection to the proxy server that handles free accounts' Internet access, and then use the HTTP protocol to request a whitelisted site from it (though that would be hard work, and it would be easier to use requests or something like that).
What you can't do on PythonAnywhere is run a socket server that can be accessed from outside our system.
Nope. PythonAnywhere doesn't support the socket module.
I am writing a Flask Web-Application and use eventlet as the networking library for that application (eventlet is wrapped by Flask-SocketIO to allow asynchronous operation)
Following this guide I have been successfully creating a SSL key- and cert-file which I pass to the WSGI Server
socket_io.run(app,
host=APP_HOST,
port=APP_PORT,
keyfile='ia.key',
certfile='ia.crt')
This works fine but unfortunately Safari / Chrome says that my SSL-Certificate is not trustworthy when I access the page for the first time.
The Chrome-Failure is the following:
NET::ERR_CERT_COMMON_NAME_INVALID
How to I generate a valid SSL Certificate so that the browsers don't show that error when a user connects to the web application the first time!?
That is because it is something called a "Self Signed Certificate", which is not from any trusted company, so any modern browser auto-detects this as an untrusted site. If you are using a UNIX-based operating system, (Linux, or macOS, Fedora, and more), you can use what I am using. You have to generate new certification from a trusted site.
This is what I use to get a TRUSTED certificate that most browsers can use: https://certbot.eff.org/instructions.