Results 1 to 25 of 70
Thread: SSL Manipulation
-
09-08-2002, 06:13 PM #1Disabled
- Join Date
- May 2001
- Posts
- 1,513
SSL Manipulation
After studying and testing out mod_rewrite in an .htaccess file, I have come up with a strange SSL solution.
I made a self-signed certificate on my shared hosting site. My host also has a shared SSL that I can use. Using mod_rewrite, I figured out how to call the shared SSL page, yet have my self-signed SSL page come up.
The strange thing is that my SSL page comes up with http instead of https, but it has the padlock, and no macro warning (I was wrong earlier about canceling the warning with javascript. I didn't realize it was a macro warning).
The other thing is that on MSIE, the location bars shows my SSL's location, but unfortunately in Netscape it shows my host's location. So, I still haven't perfected it, or don't even know if it's possible, since most mod_rewrite commands can't be used by a user, but it's a start.
Do you think most people will trust an SSL page that has a padlock but starts with http?
Do most people check certificate info? If they see something like Comico, issued by Comico, do you think that bothers them?
FWIW, I'm not trying to scam anyone. I just want a certificate, and don't want to pay for one. I could care less about checking out identities (though my customers may feel differently); I just want encrypted info with a padlock.
-
09-08-2002, 07:46 PM #2Web Hosting Evangelist
- Join Date
- May 2002
- Posts
- 466
Your browser is broken if it's showing a pad lock. However, I assume it's showing it from the shared SSL you're using before you use the rewrite rules, which is why the pad lock is there. If you're not using https, then it's not secure and it's going to fail to serve it's purpose (prompting them or not). Short of tricking people's browsers into thinking it's a valid certificate from a vendor, you can't get around it to not prompt them via a genuine SSL connection. You're just using a shared certificate to call to or use an invalid or non-functional certificate/area, by the sound of it.
Robert McGregor
URL: http://www.2host.com
Email: robertm@(nospam)2host.com
-
09-08-2002, 08:55 PM #3Aspiring Evangelist
- Join Date
- Aug 2002
- Location
- Louisiana
- Posts
- 396
cool chrisb
sounds like this leading to a security exploitLast edited by modihost; 09-08-2002 at 09:15 PM.
-
09-08-2002, 09:04 PM #4Web Hosting Evangelist
- Join Date
- May 2002
- Posts
- 466
Originally posted by modihost
cool chrisb :dgrin::agree:
sounds like thiis leading to a security exploit :DRobert McGregor
URL: http://www.2host.com
Email: robertm@(nospam)2host.com
-
09-08-2002, 09:16 PM #5Aspiring Evangelist
- Join Date
- Aug 2002
- Location
- Louisiana
- Posts
- 396
well - if you can fool a web browser into using SSL without https:// in the URL - i am sure there are some rather creative ways to use this
-
09-08-2002, 09:18 PM #6Aspiring Evangelist
- Join Date
- Aug 2002
- Location
- Louisiana
- Posts
- 396
chrisb:
Can you post what version browsers you tested this in? Netscape 7.0 & IE 6.0?
Also can you post some sample URLS. i wanna see this in action
-
09-08-2002, 09:18 PM #7Web Hosting Evangelist
- Join Date
- May 2002
- Posts
- 466
Originally posted by modihost
well - if you can fool a web browser into using SSL without https:// in the URL - i am sure there are some rather creative ways to use thisRobert McGregor
URL: http://www.2host.com
Email: robertm@(nospam)2host.com
-
09-08-2002, 09:22 PM #8Aspiring Evangelist
- Join Date
- Aug 2002
- Location
- Louisiana
- Posts
- 396
chrisb
Can you please post that .htaccess?
now maybe i dont have to buy my own SSL cert lol
-
09-08-2002, 09:43 PM #9Web Hosting Evangelist
- Join Date
- May 2002
- Posts
- 466
Originally posted by modihost
chrisb
Can you please post that .htaccess?
now maybe i dont have to buy my own SSL cert lol :cool:
He could have used the rewrite rules ot point to any non-SSL web site or area and it would have done the same thing. If you have a shared SSL area, and you're using that anyway, how would it help or matter to use your own behind it, even if you could? If you've got to run through the shared SSL for it to work right, why would you use that to try and get out of using your own? You are already bypassing the need for your own by using the shared certificte. If you have to use the shared certificate to use your own or none, which doesn't make any sense, than you'll have to use the shared one anyway, which is what you're doing, which means that you're not needing to do anything else.
This isn't a security issue, this isn't a way to have a free certificate, other than it's already there and it's already free (being that it's shared). I hope that better explains it and how it is working (nor not working), so you don't get your hopes up. :-)Robert McGregor
URL: http://www.2host.com
Email: robertm@(nospam)2host.com
-
09-08-2002, 09:46 PM #10Aspiring Evangelist
- Join Date
- Aug 2002
- Location
- Louisiana
- Posts
- 396
you must excuse me, i like to poke at things like this.
-
09-08-2002, 09:54 PM #11Aspiring Evangelist
- Join Date
- Aug 2002
- Location
- Louisiana
- Posts
- 396
i think most average people dont even look for the padlock and dont care. But if your trying to sell to web masters - i am sure they would check. if i saw a SSL url that had http:// i would be trying to figure out how they fooled my web browser into thininking it was a secure page
-
09-08-2002, 09:59 PM #12Web Hosting Evangelist
- Join Date
- May 2002
- Posts
- 466
Originally posted by modihost
i think most average people dont even look for the padlock and dont care. But if your trying to sell to web masters - i am sure they would check. if i saw a SSL url that had http:// i would be trying to figure out how they fooled my web browser into thininking it was a secure page :eek:Robert McGregor
URL: http://www.2host.com
Email: robertm@(nospam)2host.com
-
09-08-2002, 11:18 PM #13Disabled
- Join Date
- May 2001
- Posts
- 1,513
Hi Robert,
Never say it cannot be done because some people like myself are inspired by that to prove you wrong. Unless you have studied and tested this within an .htaccess file as extensively as I have, then you may just be surprised. I have studied mod_rewrite intensively, and done many tests in the last few days; and have successfully tested this in a sub-directory to prevent possibly damaging my main directory.
I'm using this method because I would prefer that something akin to https://mydomain.com/order.html show in the location bar with a padlock rather than something like https://server25.jchost.com/~username/order.html.
It makes sense to me.
I don't think my browser is broken, and the end result does show my page http://mydomain.com/order.html with a padlock, and NO macro warning. I'm still working on changing that part to https.
The page that the user ends up at, uses my self-signed certificate. I only use the shared shared SSL location within the .htaccess file in my mod_rewrite rules, as sort of a launching pad to change the location or URL. If a user were to click to view the certificate, it has my certificate information. NOTE: I am not using the shared ssl and faking the location. I am using my own self-signed certificate.
Maybe I didn't explain it well enough, so here's how I did it.
1. Create a test ssl page, such as "order.html".
2. Creat a test ssl directory, such as "myssl".
3. Now, make sure you have one copy of "order.html" in the "myssl" directory, and one copy of it in your main directory.
4. Make an .htaccess file within your "myssl" directory.
5. Within that .htaccess file, use mod_rewrite to rewrite order.html in that directory to go to order.html in the main directory.
6. Now, when someone clicks on, or goes to https://mydomain.com/myssl/order.html, the location bar will actually read http://yourdomain.com/order.html, without any warning, and a padlock.
I will post the code later when I have it perfected. I'm considering using Apache's setEnv, instead of using mod_rewrite to reset them. There's also further manipulation possible by using a cgi script in conjunction with mod_rewrite.
I'm using order.html now for testing purposes only; and that will probably change to order.cgi Also, I'm using the latest IE6 browser.
Hi modihost. Thanks for your support. I welcome any help and encouragement on this, as it is very time-consuming.Last edited by chrisb; 09-09-2002 at 12:37 AM.
-
09-08-2002, 11:31 PM #14Web Hosting Evangelist
- Join Date
- May 2002
- Posts
- 466
Originally posted by chrisb
Hi Robert,
Never say it cannot be done because some people like myself are inspired by that to prove you wrong. :)
Unless you have studied and tested this within an .htaccess file as extensively as I have, then you may just be surprised.
I have studied mod_rewrite intensively,
and done many tests in the last few days; and have successfully tested this in a sub-directory to prevent possibly damaging my main directory.
I'm using this method because I would prefer that something akin to https://mydomain.com/order.html show in the location bar with a padlock rather than something like server25.jchost.com/~username/order.html.
It makes sense to me. :)
I don't think my browser is broken,
and the end result does show my page with a padlock, no macro warning, and my location with an http (I'm still working on changing that part to https).
It also shows http://mydomain.com/order.html in the location bar.
The page the user ends up at used my self-signed certificate. I only use the shared shared SSL location within the .htaccess file in my mod_rewrite rules as sort of a launching pad to change the location or URL.
If you click on view the certificate, it has my certificate information. NOTE: I am not using the shared ssl and faking the location. I am using my own self-signed certificate.
Maybe I didn't explain it well enough, so here's how I did it.
1. Create a test ssl page, such as "order.html".
2. Creat a test ssl directory, such as "myssl".
3. Now, make sure you have one copy of "order.html" in the "myssl" directory, and one copy of it in your main directory.
4. Make an .htaccess file within your "myssl" directory.
5. Within that .htaccess file, use mod_rewrite to rewrite order.html in that directory to go to order.html in the main directory.
6. Now, when someone clicks on or goes to https://server25.jchost.com/~username/order.html, the location bar will actually say http://yourdomain.com/order.html, without any warning, and a padlock.
I will post the code later when I have it perfected. :) I'm considering using Apache's setEnv, instead of using mod_rewrite to reset them. There's also further manipulation possible by using a cgi script in conjunction with mod_rewrite.
I'm using order.html now for testing purposes only; and that will probably change to order.cgi Also, I'm using the latest IE6 browser.
Hi modihost. Thanks for your support. I welcome any help and encouragement on this, as it is very time-consuming.Robert McGregor
URL: http://www.2host.com
Email: robertm@(nospam)2host.com
-
09-08-2002, 11:46 PM #15Disabled
- Join Date
- May 2001
- Posts
- 1,513
Robert, what I meant was that unless you've tested mod_rewrite extensively within an .htaccess file, there are some things you may not know. IOW, if you've only used mod_rewrite as a superuser, then you haven't had much experience using mod_rewrite within an .htaccess file. That's all I was saying.
Concerning your statement, "it will not work". You are wrong. It will work. I've tested it, and it does work. It does exactly as I stated.
How can you be so arrogant as to make a statement like "it will not work" when you haven't even seen my code or tested it yourself?
-
09-08-2002, 11:53 PM #16Disabled
- Join Date
- May 2001
- Posts
- 1,513
Note: Robert posted while I was editing. Number 6 should read
6. Now, when someone clicks on, or goes to http://mydomain.com/myssl/order.html, the location bar will actually read http://yourdomain.com/order.html, without any warning, and a padlock.
-
09-08-2002, 11:54 PM #17Web Hosting Master
- Join Date
- Dec 2000
- Location
- San Diego, CA
- Posts
- 1,571
-Mooneer
Thoughtbug Software: Hosting shouldn't require any thought.
Legitimate host? Support the Code of Ethical Conduct
-
09-08-2002, 11:57 PM #18Web Hosting Evangelist
- Join Date
- May 2002
- Posts
- 466
Originally posted by chrisb
Robert, what I meant was that unless you've tested mod_rewrite extensively within an .htaccess file, there are some things you may not know. IOW, if you've only used mod_rewrite as a superuser, then you haven't had much experience using mod_rewrite within an .htaccess file. That's all I was saying.
Concerning your statement, "it will not work". You are wrong.
It will work. I've tested it, and it does work. It does exactly as I stated.
How can you be so arrogant as to make a statement like "it will not work" when you haven't even seen my code or tested it yourself?
There is a large difference between what you're doing now and what you say you want to ultimately do. I'm not saying any of this to belittle you, sound smarter or more knowledge, or to take a swipe at your mission. I'm sure you're having fun with it, and that's great, but try not to assume so cynically because I do happen to know that this method will not work. Perhaps I'm not explaining myself well enough, but you'll find out soon enough, unless you do end up thinking it's working and you are actually passing the data without really using SSL (which would defeat the purpose).Robert McGregor
URL: http://www.2host.com
Email: robertm@(nospam)2host.com
-
09-08-2002, 11:59 PM #19Web Hosting Evangelist
- Join Date
- May 2002
- Posts
- 466
Originally posted by chrisb
Note: Robert posted while I was editing. Number 6 should read
6. Now, when someone clicks on, or goes to http://mydomain.com/myssl/order.html, the location bar will actually read http://yourdomain.com/order.html, without any warning, and a padlock.Robert McGregor
URL: http://www.2host.com
Email: robertm@(nospam)2host.com
-
09-09-2002, 12:10 AM #20Disabled
- Join Date
- May 2001
- Posts
- 1,513
Robert, I know that .htaccess is just a control file. What I meant was that there are different workarounds you have to do when using mod_rewrite within an .htaccess file that you don't have to do when you have root access and can use rewriteMap, etc.
Again, it does_work. It shows a padlock, and no warning. Yes, I'd like for it to do more, but it works.
No, I'm not worried about you trying to sound smarter. When someone makes a dogmatic statement "it will not work" and has not tested it, to me that is not smarter.
-
09-09-2002, 12:14 AM #21Disabled
- Join Date
- May 2001
- Posts
- 1,513
Robert, you pick out my little mistakes... Number 6 should have read...
6. Now, when someone clicks on, or goes to https://mydomain.com/myssl/order.html, the location bar will actually read http://yourdomain.com/order.html, without any warning, and a padlock.
-
09-09-2002, 12:15 AM #22Web Hosting Evangelist
- Join Date
- May 2002
- Posts
- 466
Originally posted by chrisb
...
When someone makes a dogmatic statement "it will not work" and has not tested it, to me that is not smarter. :) [/B]Robert McGregor
URL: http://www.2host.com
Email: robertm@(nospam)2host.com
-
09-09-2002, 12:20 AM #23Web Hosting Evangelist
- Join Date
- May 2002
- Posts
- 466
Originally posted by chrisb
Robert, you pick out my little mistakes... Number 6 should have read...
6. Now, when someone clicks on, or goes to https://mydomain.com/myssl/order.html, the location bar will actually read http://yourdomain.com/order.html, without any warning, and a padlock.
"Note: Robert posted while I was editing. Number 6 should read
6. Now, when someone clicks on, or goes to http://mydomain.com/myssl/order.html, the location bar will actually read http://yourdomain.com/order.html, without any warning, and a padlock."
You REPEATED yourself NOT mentioning the https URL! I wasn't "picking out little mistakes" of yours. You clearly didn't make it clear until this THIRD time. Just take your time to read what's being said and you won't assume so much. I didn't assume anything, I responded to what you said. what's all I've got to go on. It's astounding that you want to make a comment that my attitude is "arrogant" given these facts and you're refusal to accept that I might be right and know what I'm talking about. Check what you said, what you're doing and understand what I said.
Consider if for a moment, of why it won't work. Either you're not being clear about any of this and are talking about something completely different and trivial, or you are missing something in the process and it's not goign to actually encrypt the data. If there's no getting through to you and you're going to assume things and get offended because I am trying to explain why and how it won't work, just tell me now and I'll not waste my time trying to talk to a brick wall.Robert McGregor
URL: http://www.2host.com
Email: robertm@(nospam)2host.com
-
09-09-2002, 12:23 AM #24Web Hosting Evangelist
- Join Date
- May 2002
- Posts
- 466
Originally posted by chrisb
Robert, you pick out my little mistakes... Number 6 should have read...
6. Now, when someone clicks on, or goes to https://mydomain.com/myssl/order.html, the location bar will actually read http://yourdomain.com/order.html, without any warning, and a padlock.Robert McGregor
URL: http://www.2host.com
Email: robertm@(nospam)2host.com
-
09-09-2002, 12:29 AM #25Disabled
- Join Date
- May 2001
- Posts
- 1,513
Yes, it works, and it encrypts the data. Thus, the SSL page with a certificate that you can click on. What is arrogant is that you insist something doesn't work when you haven't even tried it. I've tried it, and I know that it works. What part of "it_works" don't you understand?
I really dislike the attitude of people like you. You are the type of people that stifle development, because you are never wrong, even when you are.
For someone to say that something doesn't work in a server environment, considering all the bugs out there, is just plain ignorance; especially when someone else has tested it and found that it does work.