I was debugging a situation, where chrome keeps saying it is managed by third party organization. Whether it was due to the malware or not is yet to be seen. What bothers me that some process in Windows keeps creating the HKEY_LOCAL_MACHINE\Software\Google\Chrome\NativeMessagingHosts\ registry entries even if I uninstall Chrome. Whether the key is created by legit app or malware it seems that native applications can communicate with chrome without user noticing or having mechanisms to disable the communication.
Now I am really concerned by the security issues connected with the existence of the mechanism of communication between browser and native applications through native messaging see here. I would prefer my browser not being able to see other applications in the system and other applications to see that browser is running or at least have an option to sandbox the browser and isolate it from native applications.
Is there a way to disable this kind of communication in Chrome and in the host system, in my case Windows but I would be interested in Linux as well.
Related
I have several devices that have invalid SSL certificates, mostly old routers,iDRAC,iLO etc.
It now appears to be impossible to access these devices via Chrome and Firefox.
In the past I have been able to add exceptions to access these devices, but I no longer seem to get the options.
Now I understand fully that these devices should be upgraded and I know there are very big risks when ignoring certificate errors, so please do not put a ton of replies telling me to upgrade, as this is not always possible, some of these devices do not any any upgrades available! also how do you upgrade a device that can be upgraded if you cant access it in the first place?
So the question is, is it possible to tell Chrome or Firefox to ignore all SSL/Certificate errors (like invalid certificate or incorrect SSL version), or is there an alternative browser that will work in there place that still allows things like javascript etc to run. I have tried a few browsers in the falcon/surf/hv3 but none of these work.
I cant find any method for the latest versions of chrome and the only thing I could find for firefox was 'security.ssl.enable_ocsp_stapling' and that didn't seem to make any difference :(
I would prefer to use my current install rather than creating a VM and running a totally outdated OS, which also creates problems with SSH and VPN access.
As request, example of error accessing old draytek router via firefox, no option given to bypass:
Secure Connection Failed
An error occurred during a connection to IP-ADDR.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem.
Chrome error when trying to access HP iLO, get option to ignore, but then get :
This site can’t be reached
The web page at https://IP-ADDR/login.htm might be temporarily down or it may have moved permanently to a new web address.
ERR_SSL_BAD_RECORD_MAC_ALERT
But in general looking to be able to access sites that chrome & firefox have decided in the last year or so that I am incapable of deciding if I trust the site (emphases on the 'I').
Both of these errors do not seem to be related to the certificate at all and can therefore not be solved by ignoring certificate problems. These are not trust problems but these are protocol incompatibility problems.
The problem with HP iLO is likely because the device supports only SSL 3.0 which is insecure for years and thus is not usable in any modern browser and OS. The problem with the Draytek router is not fully clear (there should be more information available in the browser) but it is likely similar, i.e. only SSL 3.0 or some unsupported because insecure cipher like RC4.
One option to deal with these devices is to install some older OS (like Ubuntu 12.04 or even older) in a virtual machine and use the browser from this machine to access the device. And of course note that these devices are long out of support and continued use might cause security risks.
I developed an extension that communicates with a host (also developed by me), as provided by the https://developer.chrome.com/extensions/nativeMessaging example, and it works just fine.
Now I need to distribute my host with my extension and I couldn't find in Distributions how can I package my host along my extension. Are there any examples of how can I do it? Or must I distribute my host elsewhere?
I couldn't find in Distributions how can I package my host along my extension.
Support for this has been requested and turned down by Chrome developers.
I would recommend reading that thread for some insights in how native hosts are supposed to work according to them.
Or must I distribute my host elsewhere?
That's the idea. You need an installer hosted somewhere else.
wOxxOm's proposal is not going to work seamlessly, since a Native host cannot function without registering it with the system (e.g. adding a registry key on Windows) - something an extension cannot trigger.
It's possible you can still follow the bundle-download-open route for an installer, but I imagine it may get frowned upon by Chrome Web Store.
I've written a Chrome extension and companion native messaging host. I don't have any issues with it failing to start or crashing, but I would like to be able to restart it for updates of the extension. I can't find anything in the documentation or elsewhere regarding this. Is it even possible, or does the browser need to be restarted? Due to the nature of the extension, I'd like to avoid restarting the browser if possible.
Documentation can be found here, but it's not exactly robust.
https://developer.chrome.com/extensions/nativeMessaging
Upon further investigation I have found that restarting the native host application manually is not required. Chrome does this itself on update of the extension. However, that breaks the ability to send messages to the native host application from content scripts that have already been loaded, which was causing the issue I was seeing. Pages can be reloaded to fix messaging.
We're using Jetty 9.2.x in the embedded mode in conjunction with Restlet 2.3.1 to develop our application sever. Recently we've enabled support for HTTPS, which utilises a certificated signed by a self-established CA.
Everything seemed to be working correctly when connecting to this server from various web browsers under Linux and Mac operating systems. However, when we expended out testing to machines running Windows 7 and 8 (all machines are on the same LAN), we've discovered that the Chrome browser (ver. 42.x) would not establish a connection, reporting
This web page is not available
ERR_FAILED
The webpage at https://host_name:9999/ might be temporarily down or it may have moved permanently to a new web address.
Trying to analyse TCP/IP messages between the browser and the server suggests that HTTPS handshake does not succeed. Surprisingly, everything works correctly under Windows XP.
Unfortunately, we're not sure how to proceed any further in trying to solve this problem. Any suggestions as to a possible cause or a solution to the described situation?
It has also beed observed that Firefox under Windows 7/8 was able to establish the connection, but did not render the page due to lack of HTML5 imports support. This was confirmed by observing the page source from Firefox.
Edit: Configuring Jetty to use a self-signed certificate resolved the connectivity problem. This suggests that there is some issue with signing a certificate by a self-established CA, which seems to be specific to an operating system/web browser combination.
It has been identified that the originally used certificate was at fault. More specifically, its Common Name contained a value, which was not recognised as a suitable domain name. Generating a new certificate, signed with a self-established CA, but providing a suitable (albeit not registered) domain name in property Common Name has solved the problem.
The very original intent for thus issued certificate was to use it for internal development purposes and not for public consumption. Thus, the Common Name property was entered to reflect the local nature of the certificate (e.g. application-name.local).
I’d like to be able to create a GUI that can be viewed over the network by a remote client.
One approach is to code the whole GUI in HTML5 and run it from a server such as Apache; the main difficulty with this is that the GUI includes at least one, sometimes two, windows containing live video streams (without any sound) and there doesn’t seem to be a good way of streaming live video into HTML5 - especially as it really needs to be live; a few seconds’ latency would be unacceptable.
Another approach (which I’ve done already, and actually works pretty well) is just to code the GUI as a desktop application (for example using Qt), and then to view the desktop remotely using VNC or Windows Remote Desktop. This gives the required responsiveness and lack-of-latency, but has the disadvantage that the whole OS desktop is accessible and not just my one application.
So, here is my question: is there a mechanism or a framework available that would enable me to use RFB (i.e. the protocol underlying VNC) or RDP (that underlying Windows Remote Desktop) to provide remote access to a single GUI application rather than a whole desktop?
When we comparing RDP and RFB the main deference is RDP only share metadata where RBF share whole frame buffer of the screen. So RBF is slow than RDP. VNC is using RFB where windows applications like Lync using RDP.
http://sandaruwmp.blogspot.com/2014/05/remote-desktop-application-with-rdp.html Here you can see a simple RDP example
Actually you can create an application that only shares a single application and also you can use many other protocols with RDP
here https://github.com/sandaru/RDAPP in this application it uses RDP with TCP that you can select only one application to show.
In this application it shares the desktop via RDP and listen to a TCP port you can send commands such as "stop selected processes", "Focus single application" and "share whole window". RDP react according to the TCP requests.
i hope this will be useful for you
NOTE: Above Source does not contain any NAT traverse mechanism.