Page 1 of 3 123 LastLast
Results 1 to 25 of 70
  1. #1
    Join Date
    May 2001
    Posts
    1,513

    SSL Manipulation

    After studying and testing out mod_rewrite in an .htaccess file, I have come up with a strange SSL solution.

    I made a self-signed certificate on my shared hosting site. My host also has a shared SSL that I can use. Using mod_rewrite, I figured out how to call the shared SSL page, yet have my self-signed SSL page come up.

    The strange thing is that my SSL page comes up with http instead of https, but it has the padlock, and no macro warning (I was wrong earlier about canceling the warning with javascript. I didn't realize it was a macro warning).

    The other thing is that on MSIE, the location bars shows my SSL's location, but unfortunately in Netscape it shows my host's location. So, I still haven't perfected it, or don't even know if it's possible, since most mod_rewrite commands can't be used by a user, but it's a start.

    Do you think most people will trust an SSL page that has a padlock but starts with http?

    Do most people check certificate info? If they see something like Comico, issued by Comico, do you think that bothers them?

    FWIW, I'm not trying to scam anyone. I just want a certificate, and don't want to pay for one. I could care less about checking out identities (though my customers may feel differently); I just want encrypted info with a padlock.

  2. #2
    Your browser is broken if it's showing a pad lock. However, I assume it's showing it from the shared SSL you're using before you use the rewrite rules, which is why the pad lock is there. If you're not using https, then it's not secure and it's going to fail to serve it's purpose (prompting them or not). Short of tricking people's browsers into thinking it's a valid certificate from a vendor, you can't get around it to not prompt them via a genuine SSL connection. You're just using a shared certificate to call to or use an invalid or non-functional certificate/area, by the sound of it.
    Robert McGregor
    URL: http://www.2host.com
    Email: robertm@(nospam)2host.com

  3. #3
    Join Date
    Aug 2002
    Location
    Louisiana
    Posts
    396
    cool chrisb

    sounds like this leading to a security exploit
    Last edited by modihost; 09-08-2002 at 09:15 PM.

  4. #4
    Originally posted by modihost
    cool chrisb :dgrin::agree:

    sounds like thiis leading to a security exploit :D
    You think so?
    Robert McGregor
    URL: http://www.2host.com
    Email: robertm@(nospam)2host.com

  5. #5
    Join Date
    Aug 2002
    Location
    Louisiana
    Posts
    396
    well - if you can fool a web browser into using SSL without https:// in the URL - i am sure there are some rather creative ways to use this

  6. #6
    Join Date
    Aug 2002
    Location
    Louisiana
    Posts
    396
    chrisb:

    Can you post what version browsers you tested this in? Netscape 7.0 & IE 6.0?


    Also can you post some sample URLS. i wanna see this in action

  7. #7
    Originally posted by modihost
    well - if you can fool a web browser into using SSL without https:// in the URL - i am sure there are some rather creative ways to use this
    But he didn't fool the browser. He used the shared SSL for access, which was using a rewrite rule to use a non-vendor certificate.
    Robert McGregor
    URL: http://www.2host.com
    Email: robertm@(nospam)2host.com

  8. #8
    Join Date
    Aug 2002
    Location
    Louisiana
    Posts
    396
    chrisb

    Can you please post that .htaccess?

    now maybe i dont have to buy my own SSL cert lol

  9. #9
    Originally posted by modihost
    chrisb

    Can you please post that .htaccess?

    now maybe i dont have to buy my own SSL cert lol :cool:
    You're misunderstanding what he did and said and how this is working. He didn't create a way for people to get around being prompted, he didn't create a valid or real certificate that would function like one from a vendor without people adding it manually with warnings and prompts. He simply used the real (shared) certificate that does work to access a page which used rewrite rules to point to another place. It didn't have SSL on it other than from the shared SSL certificate he ran through.

    He could have used the rewrite rules ot point to any non-SSL web site or area and it would have done the same thing. If you have a shared SSL area, and you're using that anyway, how would it help or matter to use your own behind it, even if you could? If you've got to run through the shared SSL for it to work right, why would you use that to try and get out of using your own? You are already bypassing the need for your own by using the shared certificte. If you have to use the shared certificate to use your own or none, which doesn't make any sense, than you'll have to use the shared one anyway, which is what you're doing, which means that you're not needing to do anything else.

    This isn't a security issue, this isn't a way to have a free certificate, other than it's already there and it's already free (being that it's shared). I hope that better explains it and how it is working (nor not working), so you don't get your hopes up. :-)
    Robert McGregor
    URL: http://www.2host.com
    Email: robertm@(nospam)2host.com

  10. #10
    Join Date
    Aug 2002
    Location
    Louisiana
    Posts
    396
    you must excuse me, i like to poke at things like this.

  11. #11
    Join Date
    Aug 2002
    Location
    Louisiana
    Posts
    396
    i think most average people dont even look for the padlock and dont care. But if your trying to sell to web masters - i am sure they would check. if i saw a SSL url that had http:// i would be trying to figure out how they fooled my web browser into thininking it was a secure page

  12. #12
    Originally posted by modihost
    i think most average people dont even look for the padlock and dont care. But if your trying to sell to web masters - i am sure they would check. if i saw a SSL url that had http:// i would be trying to figure out how they fooled my web browser into thininking it was a secure page :eek:
    The problem is, it won't unless you're running through SSL at some point. You'd be better off just using http and not SSL anywhere if you wanted to fool people that wouldn't notice. There is not valid lock or SSL without https.
    Robert McGregor
    URL: http://www.2host.com
    Email: robertm@(nospam)2host.com

  13. #13
    Join Date
    May 2001
    Posts
    1,513
    Hi Robert,
    Never say it cannot be done because some people like myself are inspired by that to prove you wrong. Unless you have studied and tested this within an .htaccess file as extensively as I have, then you may just be surprised. I have studied mod_rewrite intensively, and done many tests in the last few days; and have successfully tested this in a sub-directory to prevent possibly damaging my main directory.

    I'm using this method because I would prefer that something akin to https://mydomain.com/order.html show in the location bar with a padlock rather than something like https://server25.jchost.com/~username/order.html.
    It makes sense to me.

    I don't think my browser is broken, and the end result does show my page http://mydomain.com/order.html with a padlock, and NO macro warning. I'm still working on changing that part to https.

    The page that the user ends up at, uses my self-signed certificate. I only use the shared shared SSL location within the .htaccess file in my mod_rewrite rules, as sort of a launching pad to change the location or URL. If a user were to click to view the certificate, it has my certificate information. NOTE: I am not using the shared ssl and faking the location. I am using my own self-signed certificate.

    Maybe I didn't explain it well enough, so here's how I did it.
    1. Create a test ssl page, such as "order.html".
    2. Creat a test ssl directory, such as "myssl".
    3. Now, make sure you have one copy of "order.html" in the "myssl" directory, and one copy of it in your main directory.
    4. Make an .htaccess file within your "myssl" directory.
    5. Within that .htaccess file, use mod_rewrite to rewrite order.html in that directory to go to order.html in the main directory.
    6. Now, when someone clicks on, or goes to https://mydomain.com/myssl/order.html, the location bar will actually read http://yourdomain.com/order.html, without any warning, and a padlock.

    I will post the code later when I have it perfected. I'm considering using Apache's setEnv, instead of using mod_rewrite to reset them. There's also further manipulation possible by using a cgi script in conjunction with mod_rewrite.

    I'm using order.html now for testing purposes only; and that will probably change to order.cgi Also, I'm using the latest IE6 browser.

    Hi modihost. Thanks for your support. I welcome any help and encouragement on this, as it is very time-consuming.
    Last edited by chrisb; 09-09-2002 at 12:37 AM.

  14. #14
    Originally posted by chrisb
    Hi Robert,
    Never say it cannot be done because some people like myself are inspired by that to prove you wrong. :)
    It can't be done.

    Unless you have studied and tested this within an .htaccess file as extensively as I have, then you may just be surprised.
    What do you think an .htaccess file has to do with this? You can add a lot of directives for a lot of modules in an .htaccess file, sure and things can be done. I don't know what you mean by "testing things within an .htaccess file extensively". That depends on what modules you are putting directives in for.

    I have studied mod_rewrite intensively,
    I'm quite familiar with the rewrite module. So are we talking about the rewrite module or directives for modules?

    and done many tests in the last few days; and have successfully tested this in a sub-directory to prevent possibly damaging my main directory.
    What do you think rewrite directives can possibly do to "damane your main directoty"?

    I'm using this method because I would prefer that something akin to https://mydomain.com/order.html show in the location bar with a padlock rather than something like server25.jchost.com/~username/order.html.
    It makes sense to me. :)
    That makes perfect sense and what you're trying to do, won't work.

    I don't think my browser is broken,
    I don't either. It's showing the padlock because you're running through the shared certificate.

    and the end result does show my page with a padlock, no macro warning, and my location with an http (I'm still working on changing that part to https).
    It's because you're running through the shared certificate.

    It also shows http://mydomain.com/order.html in the location bar.
    I can guess what you're doing. You're trying to make it so any access to that directory or a specific file even, has a rewrite rule to call to the share certificate's secure area. The flaw in this logic, is that your data isn't encrypted until the data is redirected, so it's always passed non-encrypted. The other problem, is that you can't use an SSL protocol on a non-SSL page, and rewrite rules won't solve that problem.

    The page the user ends up at used my self-signed certificate. I only use the shared shared SSL location within the .htaccess file in my mod_rewrite rules as sort of a launching pad to change the location or URL.
    If you don't uise the shared certificate, than any access will prompt the user or fail to work.

    If you click on view the certificate, it has my certificate information. NOTE: I am not using the shared ssl and faking the location. I am using my own self-signed certificate.
    Okay, but you perhaps understand how this will not overcome the certificate warnings once you are truly using the SSL certificate then.

    Maybe I didn't explain it well enough, so here's how I did it.
    1. Create a test ssl page, such as "order.html".
    2. Creat a test ssl directory, such as "myssl".
    3. Now, make sure you have one copy of "order.html" in the "myssl" directory, and one copy of it in your main directory.
    4. Make an .htaccess file within your "myssl" directory.
    5. Within that .htaccess file, use mod_rewrite to rewrite order.html in that directory to go to order.html in the main directory.
    6. Now, when someone clicks on or goes to https://server25.jchost.com/~username/order.html, the location bar will actually say http://yourdomain.com/order.html, without any warning, and a padlock.
    So you're trying to do cloaking. This won't work right still, unless it's a vendor certificate, unless people don't mind wanrings or errors.

    I will post the code later when I have it perfected. :) I'm considering using Apache's setEnv, instead of using mod_rewrite to reset them. There's also further manipulation possible by using a cgi script in conjunction with mod_rewrite.

    I'm using order.html now for testing purposes only; and that will probably change to order.cgi Also, I'm using the latest IE6 browser.

    Hi modihost. Thanks for your support. I welcome any help and encouragement on this, as it is very time-consuming.
    Feel free to have fun and definitely enjoy yourself. Sounds interesting, but I'm just telling you that this method will not be able to work. That's now how SSL works and it won't work with that method, not without warnings or flaws, or not without some point of the data being passed in non-encrypted form.
    Robert McGregor
    URL: http://www.2host.com
    Email: robertm@(nospam)2host.com

  15. #15
    Join Date
    May 2001
    Posts
    1,513
    Robert, what I meant was that unless you've tested mod_rewrite extensively within an .htaccess file, there are some things you may not know. IOW, if you've only used mod_rewrite as a superuser, then you haven't had much experience using mod_rewrite within an .htaccess file. That's all I was saying.

    Concerning your statement, "it will not work". You are wrong. It will work. I've tested it, and it does work. It does exactly as I stated.
    How can you be so arrogant as to make a statement like "it will not work" when you haven't even seen my code or tested it yourself?

  16. #16
    Join Date
    May 2001
    Posts
    1,513
    Note: Robert posted while I was editing. Number 6 should read
    6. Now, when someone clicks on, or goes to http://mydomain.com/myssl/order.html, the location bar will actually read http://yourdomain.com/order.html, without any warning, and a padlock.

  17. #17
    Join Date
    Dec 2000
    Location
    San Diego, CA
    Posts
    1,571
    Couldn't you make a frames page with 1 frame 0% high and another frame 100% high? That'd be much better, but the only thing would be it'd still show http:// instead of https:// in the address bar.
    -Mooneer
    Thoughtbug Software: Hosting shouldn't require any thought.
    Legitimate host? Support the Code of Ethical Conduct

  18. #18
    Originally posted by chrisb
    Robert, what I meant was that unless you've tested mod_rewrite extensively within an .htaccess file, there are some things you may not know. IOW, if you've only used mod_rewrite as a superuser, then you haven't had much experience using mod_rewrite within an .htaccess file. That's all I was saying.
    I realize this, and I simply stated I am well aware, due to the fact that you seemed to say that it's very possible if people had better knowledge or rewrite rules (the .htaccess file is just a control file, it can do a lot of a little) and that I'm aware of all the things it can offer in the way of directives, and depending upon the module it might work with as well.

    Concerning your statement, "it will not work". You are wrong.
    No, I'm not. It won't work. Not to the extent of what you claim your goal is.

    It will work. I've tested it, and it does work. It does exactly as I stated.
    No it doesn't. You stated that running via a shared SSL certificate and having a rewrite rule for a non-SSL protocol will show the lock in effect and that it will not prompt for errors. And why would it? You can do this with anything. For you to use the self signed certificate only and rewrite rules, it will not work via an SSL, encrypted protocol. You can't tell me that that itself works. What you've done thus far works, even if it's not encrypted, but it's not working in the manner which you said is your goal. The limitations of the manner in which you are trying to use to accomplish you goal, will _not_ work.

    How can you be so arrogant as to make a statement like "it will not work" when you haven't even seen my code or tested it yourself?
    How can you assume it's arrorgance that makes you tell you it won't work? I don't need to see the directives and syntax of your .htaccess file to knwo that this method will not work. Try not to take my advice so personally or assume it's just me mindlessly saying it won't work to sound like I know things I don't. I am very aware of how these things work and this method you are wishing to do will not function how you want. If it doesn't error, fine, but it's also not using SSL.

    There is a large difference between what you're doing now and what you say you want to ultimately do. I'm not saying any of this to belittle you, sound smarter or more knowledge, or to take a swipe at your mission. I'm sure you're having fun with it, and that's great, but try not to assume so cynically because I do happen to know that this method will not work. Perhaps I'm not explaining myself well enough, but you'll find out soon enough, unless you do end up thinking it's working and you are actually passing the data without really using SSL (which would defeat the purpose).
    Robert McGregor
    URL: http://www.2host.com
    Email: robertm@(nospam)2host.com

  19. #19
    Originally posted by chrisb
    Note: Robert posted while I was editing. Number 6 should read
    6. Now, when someone clicks on, or goes to http://mydomain.com/myssl/order.html, the location bar will actually read http://yourdomain.com/order.html, without any warning, and a padlock.
    I believe you, but that has no bearing on SSL.
    Robert McGregor
    URL: http://www.2host.com
    Email: robertm@(nospam)2host.com

  20. #20
    Join Date
    May 2001
    Posts
    1,513
    Robert, I know that .htaccess is just a control file. What I meant was that there are different workarounds you have to do when using mod_rewrite within an .htaccess file that you don't have to do when you have root access and can use rewriteMap, etc.

    Again, it does_work. It shows a padlock, and no warning. Yes, I'd like for it to do more, but it works.

    No, I'm not worried about you trying to sound smarter. When someone makes a dogmatic statement "it will not work" and has not tested it, to me that is not smarter.

  21. #21
    Join Date
    May 2001
    Posts
    1,513
    Robert, you pick out my little mistakes... Number 6 should have read...
    6. Now, when someone clicks on, or goes to https://mydomain.com/myssl/order.html, the location bar will actually read http://yourdomain.com/order.html, without any warning, and a padlock.

  22. #22
    Originally posted by chrisb

    ...

    When someone makes a dogmatic statement "it will not work" and has not tested it, to me that is not smarter. :) [/B]
    Unless, of course, it won't work. But you're free to dislike me or assume what you like because you think it will.
    Robert McGregor
    URL: http://www.2host.com
    Email: robertm@(nospam)2host.com

  23. #23
    Originally posted by chrisb
    Robert, you pick out my little mistakes... Number 6 should have read...
    6. Now, when someone clicks on, or goes to https://mydomain.com/myssl/order.html, the location bar will actually read http://yourdomain.com/order.html, without any warning, and a padlock.
    Okay, just calm down. For goodness sakes, I'm not attacking you! Your post ABOVE (YOUR EDIT) said:

    "Note: Robert posted while I was editing. Number 6 should read
    6. Now, when someone clicks on, or goes to http://mydomain.com/myssl/order.html, the location bar will actually read http://yourdomain.com/order.html, without any warning, and a padlock."

    You REPEATED yourself NOT mentioning the https URL! I wasn't "picking out little mistakes" of yours. You clearly didn't make it clear until this THIRD time. Just take your time to read what's being said and you won't assume so much. I didn't assume anything, I responded to what you said. what's all I've got to go on. It's astounding that you want to make a comment that my attitude is "arrogant" given these facts and you're refusal to accept that I might be right and know what I'm talking about. Check what you said, what you're doing and understand what I said.

    Consider if for a moment, of why it won't work. Either you're not being clear about any of this and are talking about something completely different and trivial, or you are missing something in the process and it's not goign to actually encrypt the data. If there's no getting through to you and you're going to assume things and get offended because I am trying to explain why and how it won't work, just tell me now and I'll not waste my time trying to talk to a brick wall.
    Robert McGregor
    URL: http://www.2host.com
    Email: robertm@(nospam)2host.com

  24. #24
    Originally posted by chrisb
    Robert, you pick out my little mistakes... Number 6 should have read...
    6. Now, when someone clicks on, or goes to https://mydomain.com/myssl/order.html, the location bar will actually read http://yourdomain.com/order.html, without any warning, and a padlock.
    And are you calling to or using the shared cettificate in any way in this process? Are you saying that with rewrite rules, you can able to strictly use a self-signed certificate for your https://domainname/path and not any shared vendor certifcate anywhere in the process, and access that SSL area without any prompt or warnings, by simply using rewrite rules, yet it genuinely uses SSL to encrypt the data and it works just like any other vendor certificate? Maybe your browser _is_ broken? :-)
    Robert McGregor
    URL: http://www.2host.com
    Email: robertm@(nospam)2host.com

  25. #25
    Join Date
    May 2001
    Posts
    1,513
    Yes, it works, and it encrypts the data. Thus, the SSL page with a certificate that you can click on. What is arrogant is that you insist something doesn't work when you haven't even tried it. I've tried it, and I know that it works. What part of "it_works" don't you understand?

    I really dislike the attitude of people like you. You are the type of people that stifle development, because you are never wrong, even when you are.

    For someone to say that something doesn't work in a server environment, considering all the bugs out there, is just plain ignorance; especially when someone else has tested it and found that it does work.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •