preface

I mentioned HTTPS validation earlier in my analysis of scratch3.0’s communication with Micro: Bit:

Since web sites are moving to HTTPS, and Scratch Link is a native WebSocker server, you need to use the WSS protocol to get Scratch Link to communicate with the browser. For a local WebSocker server that uses openSSL’s locally generated certificate, the browser requires the user to click Advanced Settings in a new page, The scratch team’s clever solution was to make the domain name device-manager.scratch.mit.edu point to 127.0.0.1, and webSocker Server can use the certificate for that domain.

I think this mechanism is useful for most applications that provide HTTPS/WSS services locally, so this article will discuss how to implement the local certificate mechanism of Scratch Link

The general form of the problem

This is a very general problem, so let’s get rid of Scratch Link and describe it in general form.

You write a native application that runs a native HTTPS/WSS service. HTTPS requires an SSL certificate, so you use OpenSSL to generate a local certificate. When you access the HTTPS/WSS service in your browser, the browser will block you from accessing the HTTPS/WSS service and alert you that there is a security issue until you click the place shown in the following image.

The solution

This is a problem most developers have encountered. There are some solutions in the community:

mkcert
certificates-for-localhost

The first two solutions are the most representative, but they are aimed at developers and essentially modify the local system configuration. Not ideal for the average user.

So we will present a solution for ordinary users.

The idea is simple: Apply for a security certificate using your domain name. After you apply for the certificate, store it in the local software for the local HTTPS/WSS service and point the domain name corresponding to the certificate to 127.0.0.1

steps

We go on to detail the operation.

I chose to get the certificate from Let’s Encrypt

Use Let’s Encrypt(certbot) to generate a free SSL certificate for your site

To complete the operation of the above we received the Let ‘s certificate issued by the Encrypt website for us, certificate position in like/etc/letsencrypt/live/xxx.example.com/ directory. We then copy the certificate from the server and put it into local software for local HTTPS/WSS services. For example, I use python-Socketio to provide HTTPS/WSS services, and my configuration is

    app.on_startup.append(start_background_tasks)
    if use_ssl:
        ssl_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
        ssl_context.set_default_verify_paths()
        ssl_context.load_cert_chain(resource_path('./cert.pem'), resource_path('./privkey.pem'))
        web.run_app(
            app,
            host=SOCKET_SERVER_HOST,
            port=SOCKET_SERVER_PORT,
            ssl_context=ssl_context,
        )
    else:
        web.run_app(app, host=SOCKET_SERVER_HOST, port=SOCKET_SERVER_PORT)
Copy the code

After the configuration is complete, restart the local software and you can see that Chrome already trusts the local HTTPS/WSS service!

Now let’s discuss some details.

Security reminder

I do not recommend packaging wildcard certificates in local software, in case the encryption process is not done properly, the certificate leakage, easy to cause security problems, specific risks reference: does the leakage of SSL certificate of the domain name have a big impact on the security of the website? , the main risk is that an attacker can use a trusted certificate to launch a man-in-the-middle attack and obtain user data.

So I applied for a separate certificate for a secondary domain name, only for 127.0.0.1, so that even if I didn’t encrypt the certificate, it wouldn’t be a big problem. But encryption is always good.

The certificate update

The certificate issued by Let’s Encrypt is valid for 3 months. You can renew the certificate within 30 days before it expires. It is not a problem for us to update the certificate on the server every three months, but how to synchronize the certificate on the user’s machine? My suggestion is to make the automatic update function on the software and synchronize the certificate on the server regularly.

You can also update the software itself regularly. I currently use Pyinstaller to package applications across platforms. So you can choose PyUpdater to automatically update your software.

If that’s too much trouble, consider buying a long-term security certificate.

How to debug

If we have agreed in Chrome to continue to 127.0.0.1 and refresh in a short time, Chrome will no longer do the security alert, we need to confirm whether the new security certificate is effective, we need to re-enable the warning function

reference

Analyzing scratch3.0’s communication with Micro: Bit
scratch3_adapter
mkcert
certificates-for-localhost
Does domain name SSL certificate leakage have a significant impact on website security?

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Local HTTPS/WSS service and SSL security certificate

preface

The general form of the problem

The solution

steps

Security reminder

The certificate update

How to debug

reference

Local HTTPS/WSS service and SSL security certificate

preface

The general form of the problem

The solution

steps

Security reminder

The certificate update

How to debug

reference

Related Posts

Web Front-end fairy Guide: From small white to full stack

About API documentation browse the Dash artifact

Best practices and FaQs of offline batch Data Channel Tunnels