getUserMedia() without SSL for local storage - html

In my website I need to record audio from the microphone and then replay it.
I do not need to send those files to the server, they can remain on the client.
Currently I'm successfully using flash for that, but I would like to switch to html5 and getUserMedia().
I'm aware that I normally need SSL for using getUserMedia() (except from localhost use), but I'm wondering if there is some sort of exemption if I don't want the data to be uploaded (and thus there should be no security issues in using it).

There's no exemption. Having one would require running your script in some sort of local sandbox with separate local storage and no networking. Does not exist.
Only Google Chrome enforces this https requirement by the way. Other browsers do not.
Getting a free certificate is easy.

Related

Can I use html5 Websockets with windows domain authentication?

Our setup is like this: we use a coldfusion 10 server, and files are on a local intranet. Users use a domain login to access any files over https. I'm interested in using html5 websockets, but the first attempt gave me an error because no credentials were supplied. Is there a way around this? If not, is there a recommended technology for this scenario?
The user does log in on the client side. If it's possible, what I'd really like to do here is pass those credentials when making the connection to the server.
you should be able to supply the authentication header to your web socket server before the elevation to web socket read that and send it back in the headers for the elevation (first frame) then when the browser connects it should have the authentication it needs.
if your using a custom authentication E.G in page not authentication header you can also do this by passing any custom header to your server.
Or mandate that the first thing your web client sends is the authentication details this could be something like {username_hash}.{password_hash} if they don't close the socket to them.
Do not do this.
You're now responsible for sending and encrypting the authentication credentials yourself, bypassing something that already works and is tested.
Anyone can snoop on an unencrypted websocket port. Use HTTPs for an intranet, use stable solutions, don't reinvent this wheel because it tickles your fancy.
In a couple of years some colleague will have to maintain this and will have to figure out how your homebrew version works versus something that's solid like plain browser authentication.
My advice: Leave this to the browser and to well-tested coldfusion libraries.

Use of RFB or RDP for a single GUI application

I’d like to be able to create a GUI that can be viewed over the network by a remote client.
One approach is to code the whole GUI in HTML5 and run it from a server such as Apache; the main difficulty with this is that the GUI includes at least one, sometimes two, windows containing live video streams (without any sound) and there doesn’t seem to be a good way of streaming live video into HTML5 - especially as it really needs to be live; a few seconds’ latency would be unacceptable.
Another approach (which I’ve done already, and actually works pretty well) is just to code the GUI as a desktop application (for example using Qt), and then to view the desktop remotely using VNC or Windows Remote Desktop. This gives the required responsiveness and lack-of-latency, but has the disadvantage that the whole OS desktop is accessible and not just my one application.
So, here is my question: is there a mechanism or a framework available that would enable me to use RFB (i.e. the protocol underlying VNC) or RDP (that underlying Windows Remote Desktop) to provide remote access to a single GUI application rather than a whole desktop?
When we comparing RDP and RFB the main deference is RDP only share metadata where RBF share whole frame buffer of the screen. So RBF is slow than RDP. VNC is using RFB where windows applications like Lync using RDP.
http://sandaruwmp.blogspot.com/2014/05/remote-desktop-application-with-rdp.html Here you can see a simple RDP example
Actually you can create an application that only shares a single application and also you can use many other protocols with RDP
here https://github.com/sandaru/RDAPP in this application it uses RDP with TCP that you can select only one application to show.
In this application it shares the desktop via RDP and listen to a TCP port you can send commands such as "stop selected processes", "Focus single application" and "share whole window". RDP react according to the TCP requests.
i hope this will be useful for you
NOTE: Above Source does not contain any NAT traverse mechanism.

Secure HTML5 offline web application - Detect when app cache has been modified

Let's say I'm building a "secure" offline HTML5 app which must be run locally in the web browser without needing to download more files from the server. Let's say I connect to the server initially with the web browser over HTTPS (TLS) and download the HTML, JavaScript and CSS required to run locally. I can reasonably assume that the first time I download the files that it is done securely as it is a brand new server that no-one else knows about yet. All the files get stored in the HTML5 Offline Application Cache. Now I have everything I need to run the application locally and shouldn't depend on the server for anything else.
Now every time I run the app, the application will use the HTML5 Offline Web Application Manifest to see if there are any updates from the server for the app to be downloaded. Potentially this could be a problem. If an attacker has now targeted my server and has done a MITM attack on the connection they could alter the application manifest, causing an update to be triggered and therefore make the client download new JavaScript and HTML. This would easily compromise the security of the application as the application relies on the integrity of those files.
What are some possible options to prevent this? Can we do any of these:
1) Completely disable or block updates from the server after all files have been downloaded. Then if the manifest is changed on the server, or the attacker serves up a new manifest, then the client ignores the new manifest and keeps using it's local copy of the files.
2) Detect if the manifest has been changed, or an update event triggered, or the browser is downloading new files. Therefore notify the user that this has occurred. And if it's not expected from the user, then it would indicate an attack. I understand that the there is a 'downloading' or 'updateready' or 'checking' event listed in the spec. Is there a way for the JavaScript to detect that those events have been fired?
3) Store a version value or cryptographic hash of the files inside the browser's local storage. Then on page startup, if the files change unexpectedly, we can throw up an alert to the web browser notifying the user they have been unexpectedly changed.
4) Perhaps use some sort of cache header that forces the browser to cache the files indefinitely. In other words, a kind of hack to make it ignore new manifest files that are sent by the server. This sounds like it could probably work as there are lots of issues that can cause the application not to update even when the manifest file is changed.
Thank you in advance.

Does the storage limit (on IndexedDB or localStorage) apply for local apps running off the computer?

If I write a web app that will run in Chrome or Firefox and uses IndexedDB (or localStorage), but it's not hosted anywhere and instead is run by the user double-clicking a local ".html" file, will the limits on storage size still apply?
I'm referring to this:
https://developers.google.com/chrome/whitepapers/storage#unlimited
[Unlimited Storage is] unique to Chrome extensions as well as hosted and installed web apps.
If it is not hosted, indexeddb won't work. The indexeddb is origin dependend, meaning it needs to have an address. Local file system doesn't meet that requirement.
Webapps are a different story, but these apps need to be installed and run inside a sandbox.

With Native Client (NaCl) is it possible to embed a server in a page that can accept incoming requests?

Is it possible to open a port using Native Client that other browsers can connect to? Like a browser to browser connection?
In general, no. NaCl does not allow programs to open sockets directly (that would be a security problem). It is intended that NaCl/Pepper applications have the same general capabilities as Javascript applications; so something like WebSockets (connection back to the server) would be supported, but not directly opening files or sockets on the client machine. There's some work going on to have a P2P style networking in HTML5 (e.g. http://www.w3.org/TR/2008/WD-html5-20080122/#peer-to-peer) which would likely get Pepper support as well, but I don't know what the status of that is.
The only way to get P2P connection in browser is through WebRTC. If NaCl allows to use WebRTC (though Pepper API or whatever) then the only thing you need besides implementation is broker server that will connect clients with each other. See PeerJS for some info.