SSL Cert for client side web application, is it needed?


Introduction

I have tried to find good answer for it, but I haven’t gotten good article about this topic.

Since there are 2 types of client applications (in bigger picture) – one that runs on server and one that you download and runs in your browser.

My question comes in about the one, that runs in your machine (that you download at first visit – Blazor WebAssembly to be specific).

Questions

Do I need to enable SSL (HTTPS) for this application or web server, that hosts this application as well or is it not needed in the end?

Does only having API connection encrypted be enough?

Background

Yes, this is a cost saving masure, since this is for my hobby project and I would like to keep running costs as minimal as possible. But since I still exchange data, that should not be seen by 3rd party, this application needs to be secure.

To enable HTTPS I would need second Static IP, which is 3$ a month (which is not much), but again, it is additional cost for me, that I would rather not have.

TLS Handshake: Client Hello’s for SSLv2.0 starting with hex 0x80. Why? [closed]

I am working on understanding the TLS Handshake process with Wireshark and an open-source TLS scanning tool.

I noticed that all SSLv2.0 Client Hello messages start with hex 0x80. Can anyone explain why that is? I noticed all the subsequent TLS versions (including SSLv3.0) start with 0x16 (Content-type == Client Hello).

Wireshark screen attached for reference.

wiresharkCapture

Why does keycloak use HS256 algorithm to sign access token when client settings specify RS256?

I have the following setup with a keycloak authentication server and an application:

  1. user logs in on application client side, send un/pw to server
  2. application server sends un/pw to keycloak server for a token
  3. keycloak server sends a token back to application server
  4. application server outputs web page with sensitive data

I want to use RS256 to sign my tokens. When I try to get a token on the client side, they are corectly signed with RS256, but as soon as I try to get one on the server, HS256 is used. How can I set keycloak to use RS256 in both cases?

I use the /auth/realms/{REALM_NAME}/protocol/openid-connect/token endpoint and keycloak 10.0.1.

Keycloak configuration:

  • keys
    • realm keys are HS256, AES, and RS256 (listed in this order) all with a priority of 100 (EDIT: even if I set the RS256 key priority to a higher value, HS256 is used)
    • default signing algorithm for the realm is set to RS256
  • client
    • access token signature algorithm and ID token signature algorithm for the client are set to RS256
    • the client is public
    • Valid redirect URIs contain the domain where the application server is currently running (which is localhost but my computer has a domain name)
    • Web origins is set to "+" (which as far as I’m aware copies entries from valid red. uris)

Google seems to return no results related to my problem.

Signed client certificate not accepted by websocket server [migrated]

Want to set up authentication in a python websocket server which builds up its ssl context like:

ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) ctx.load_cert_chain('certificates/server_cert.pem', 'certificates/server_key.pem') ctx.verify_mode = ssl.CERT_REQUIRED ctx.load_verify_locations('certificates/bob_cert.pem') 

Following the example in here (only for the creation of certificates) I created three keypairs and certificates, one for the websocket server and two client certs. As stated in the example I signed alice’s cert with the server cert and bob’s cert is self-signed.

If I now connect via bob’s cert and set verify_locations in the server as above, bob magically gets into the server (which doesn’t do more then echo back what you sent). But if I connect via alice’s cert (signed by server cert) I do not get accepted – getting a ConnectionResetError, the parameter verify_locations in the above code is then of course set to accept alice_cert.pem. For completion, below you find the code for ssl context creation of the client side (here for bob):

ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) ctx.check_hostname = True ctx.load_verify_locations('certificates/server_cert.pem') ctx.verify_mode = ssl.CERT_REQUIRED ctx.load_cert_chain('certificates/bob_cert.pem', 'certificates/bob_key.pem') 

What am I doing wrong or where did I misunderstand the tutorial I followed (link above), how can the unrelated (to the server cert) self-signed certificate used by bob (ISSUER CN=bob, SUBJ CN=bob) get access whereas alice cert which is signed by the server cert (ISSUER CN=localhost, SUBJ CN=alice) does get rejected?

How to secure a price passed to a payment gateway on client?

Using Javascript, say a customer buy a product that cost 10$ .

Many payment gateways, like PayPal and Stripe, offer a client side Form where you input the sale data (price, amount, buyer address, etc), and it’s being sent to the gateway (e.g PayPal) from the client side.

But, at this point when i fill the form using Javascript on the client side, someone can change the price from 10 to 1 and pay only 1 to PayPal.

I know things has to be validated on my server, but validation means that the server is sending back to client a response saying this price is good or not good, but this respond can also be manipulated.

So how is it that companies allow client side payment anyway using a form ? How/where the actual sale data is being passed to the payment gateway ? client? server?