Chrome give "Your connection is not private" when using with a proxy - google-chrome

I'm trying to record a test with Jmeter for https://maps.google.com using JMeter's Test script recorder proxy. However I got "Your connection is not private" error and it doesn't show "proceed to https://maps.google.com" option like usual
Anyone knows how to proceed. Thanks

First of all I would suggest to reconsider the whole test scenario as:
Leave Google Maps load testing to Google engineers
If you attempt to launch a load test against Google Maps - you'll get banned.
Even if your application uses Google Maps in frame for something - you should exclude it from scope as it isn't something you can control even if you won't be happy with the performance.
Just in case if you still need it for any reason you can try the following workarounds:
Under chrome://settings/
Pricacy -> Clear browser data
HTTPS/SSL - > Uninstall JMeter certificate
Try using less "paranoid" browser i.e.Firefox which uses its own certificates and proxy settings
There is an alternative way of recording a JMeter test which doesn't not require setting up proxies and worrying about SSL certificates - JMeter Chrome Extension

Your ip is being changed multiple times due to the proxy so it's making Google think a hacker is ip spoofing a site. Just change the https:// in the url to http://.

Related

Logging network tab automatically without opening it in Google Chrome

I need to log the information shown in network tab to a file. I can do it by firing network tab first and then exporting it to a file. But is it possible to run the network tab and exporting it to a file in the background automatically whenever the Chrome is opened?
Is it possible to do?
It depends on your requirement. If your extension involves DevTools, and therefore it is open, you can use the chrome.devtools.network.getHAR() method to get the network traffic. You don't need to navigate to the Network tab.
However, if you want to access the network data without DevTools being opened, this API will not work, as it's only exposed to the DevTools instance. There are a couple of possible options.
Option 1
You could use the chrome.webRequest API to intercept each request/response and append whatever data you want/can to an object. You could then use the chrome.downloads API to download the data. In your case, you could use a data URI.
var url = 'data:application/json;base64,' + btoa(data);
chrome.downloads.download({url: url, filename: 'notQuiteAHAR'json'});
I haven't tested this in practice, and I'm not too sure if you can determine when all requests are done before calling the download.
Option 2
Use the more low level chrome.debugger API, as per the comment by #wOxxOm. The debugging protocol only allows one instance of the debugger at a time, so this will only ever work if you don't have DevTools running. The API exposes a lot more than the chrome.webRequest API, but requires a bit of work to get all the data you need.
There's a repository called chrome-har-capturer, which uses the debugging protocol. Of particular interest is har.js, which uses the events found in the debugger API to manually construct the HAR. The purpose of the library is for remote debugging purposes, but I believe you can use the debugger API in an extension, and so you could probably use aspects of this repository.
As suggested by Gideon Pyzer, HAR Recorder uses chrome debug protocol to record HAR and generate a har file (without opening devtools). If you want a variation, you can fork and make changes on it.

How to allow Chrome Kiosk App configuration access for administrators?

I'm building a Chrome kiosk app that will be in a public space. Users can interact with the app, but there are a variety of settings (server addresses, timeouts, etc.) that need to be set. I'm looking for a strategy on how to allow access to that administration config.
On first run - This is straightforward, but I want administrators to be able to pull it up again.
Detect if the app ran as a kiosk app or manually - This would kind of work, not sure if it's the greatest
Detect some key combination - Ctrl + Alt + Something switches over to the settings page, this feels like people could stumble on it accidentally.
Is there another approach I'm missing?
If your Chrome device(s) is managed you have a further option which is to use the Chrome App Management area within the Google Apps admin interface.
To do this you code your app to use the storage.managed API and this should allow a Configure section for your app within Chrome App Management.
I haven't tried this myself yet but this appears to be the way the Chrome Sign Builder app is configured with its schedule.
Another approach would be to have an administrator login button in a corner of the app. You can set a default password for administrators, which could then be changed in the settings dialog.
You can also think of combining suggestions you have made, first run and then a key combination, and this could bring up a password prompt as also suggested. For an example of this see the Zebradog Kiosk app which is in GitHub so you can see code of how this could be done.
I use ctrl-alt-S at boot. This allows me to login and make changes. I know you have to do a couple of reboots, but it is out of service during admin time anyway.

Cordova google maps api key safe enough

I wonder if my Google maps API key is safe the way I use it now. Because I have a Cordova application with Google maps, I have generated an API key. I cannot white-list the key to my domain, because it runs client side on the phone.
Also my API key is visible for anyone who unpacks my app and read the index.html, or listen to the web requests that the app makes.
Is there any way to protect my API key? And if there isn't, it is safe to use Google maps, or any other third party API that uses a API key for authentication?
I see two possible solutions to your problem. Both of them I have already personally implemented (not with GMaps though) but still have some downsides.
(1) You can use a backend technology to add in API keys to your requests. For this it is advisable to use a combination of something like Apache2 mod_proxy and mod_rewrite. In your application you then use URLs that point to your proxy server i.e. https://yourserver.com/js/googleapis/maps/api/js and make mod_rewrite this URLs to something like https://maps.googleapis.com/maps/api/js?key=API_KEY
A rule for mod_rewrite (not tested) could look like this:
RewriteCond %{QUERY_STRING} ^$
RewirteRule ^/googleapis/maps/api/js (.*)$ https://https://maps.googleapis.com/maps/api/js?key=API_KEY
I think you get the idea. The big advantage of this approach is that you can completely hide your private information on a server you control. The downsides are: If your app causes high traffic you will most likely experience high traffic on the proxy machine. Further if attackers figure out the URL to your Google Maps API proxy endpoint it will be easy for them to retrieve the GMaps API through your service.
(2) The second option would be to create a service to retrieve your API keys. Assuming your application already needs some form of authentication anyways you cold go a road where the API key service hands out the API key only to registered and authenticated users.
Both approaches will have their downsides regarding better tooling for debugging mobile-web applications. I.e. an attacker using MacOS, XCode and Safari on a desktop could establish a debugging session to your Cordova application and step debug the JS code that runs inside your App. Which means whatever stretch you make in the Cordova arena it is quite easy to attach to your App and read variables.
No credit to comment on accepted answer but personally, I'd go for the 2nd option suggested by Matthias Steinbauer. However, his concern about an attacker debugging your Production app doesn't apply to apps built with a Distribution Provisioning profile (such as required when submitting to the App Store) - only apps signed with a Developer Provisioning profile. The same goes for Google Apps too. IF it were possible to just debug a prod app, then say goodbye to security.
Having said that, an App's static content can be viewed by others (since app is just a zip file) - so don't hard-code any keys or security info.
Personally, I'd also obfuscate the source when building prod version.
Hope it helps

Intercept DNS request in a Chrome Extension?

If I want to test http://www.domain.com, but I want to test two versions of it by switching the IP out (e.g. one resolves to 127.0.0.1 and the other 192.168.1.200) is it possible to write/use a chrome extension to handle intercepting the DNS query and resolving to my IP of choice?
The current workaround is to utilize the hosts file and flush the DNS cache to switch between them but that's less than optimal and was hoping a browser extension could handle the same thing.
There's no mechanism to manipulate DNS requests/responses natively inside Chrome, not even via the upcoming WebRequest API.
Is there a reason that you need to test with exactly the same domain name? Setting up a dev environment on something like http://dev.example.com/ (or http://example.dev/ if you run your own DNS or have edited your hosts file) is a clean mechanism for producing the effect you want in a way that's functional with the APIs you have access to; writing an extension that gave you a button to toggle between the two domains with the push of a button would be trivial

How to check if new version of Chrome is available?

I am trying to build an extension that would notify a user when new version of Chrome is available.
I tried to inspect network traffic when Chrome is checking for an update and it is sending a request to http://74.125.95.113/service/update2?w=3:{long_encoded_string} page that returns XML with information I need:
<?xml version="1.0" encoding="UTF-8"?>
<gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod">
<daystart elapsed_seconds="31272"/>
<app appid="{8A69D345-D564-463C-AFF1-A69D9E530F96}" status="ok">
<updatecheck status="noupdate"/>
<ping status="ok"/>
</app>
</gupdate>
Besides sending {long_encoded_string} as URL parameter it is also sending some encoded cookie.
Maybe someone familiar with Chrome build process can shed some light on those encoded strings and how to build them? Maybe there is another easier way (I have a feeling that string encoding is a dead end for me)?
Google Chrome uses omaha to do updates to clients. The protocol is described here: http://omaha.googlecode.com/svn/wiki/cup.html. One thing you have to notice is that Google Chrome automatically downloads the update to your computer and then notifies (via icon on the tool menu). Unless you force check by opening the about dialog (in Windows).
As you have noticed, the Chrome GUID is {8A69D345-D564-463c-AFF1-A69D9E530F96}
The best way to see how Google Chrome is updating is to check the source code which is public. Google just ifdefs their version of Chrome in Chromium.
Google Chrome Code
The base class where all the updates happen is in UpgradeDetector, it basically checks for an upgrade every 1 hour for the dev channel and once a day for all the other channels and builds (stable / beta). The Chromium way to do a scheduled events is through Tasks, in this case it is caleld a DetectUpgradeTask which checks for a specific BrowserDistribution::GetSpecificDistribution. There are many browser distributions, for Windows it is called GoogleChromeDistribution which is in charge to figure out what the version that needs to be update..
So why am I saying all this, Google Chrome is just querying registry settings and local files to figure out if a new update exists. The the UpgradeDetector just compares the distributions if they are the same. The implies that Omaha does the whole update mechanism. And the best part to figure out what omaha does is to look at their omaha update protocol.
The Omaha Protocol
From quickly glancing at the protocol, the approach your taking is the correct one, but you have to figure out the public key. In this case, the w, which differs for every request. You can read more about this in the "Protocol observations" in the omaha update protocol. It does this to do a securely check for download updates and they do this to protect the communication. They want the connection that checks for updates to be authentic and fresh so an attacker cannot replace or modify the message nor trick the client to upgrading a vulnerable version.
So what now
It isn't just a simple request to the server to do an update check. The Omaha client protocol provides an alternative to SSL for update checks and does client-server requests to see if its a valid connection. They are doing all this to protect the communication as explained before.
Unfortunately I don't think there is a "Chrome Extension" HTML'sh way to do this unless you implement that handshake yourself using NPAPI. Don't take my word for granted, I might be totally wrong :) Unless you can do the handshake all through XHR requests.
Since you want to check if Chrome has been updated and not installed, you have to verify that a new distribution has been downloaded as explained above in the code GoogleChromeDistribution which definitely requires NPAPI to read the registry.