personal_cloud – WindowsTechs.com

Can a client script (running within a webpage) provide to the browser a certificate to accept in a wss:// connection?

Posted on December 25, 2022 by personal_cloud

Can a client script provide to the browser a certificate to accept in a wss:// connection? The WebSocket constructor does not seem to have many options.
(I am designing an IoT server that lets the owner share access with other users by ema… Continue reading Can a client script (running within a webpage) provide to the browser a certificate to accept in a wss:// connection?→

How does an attacker modify local files when I access them in Chrome?

Posted on December 24, 2022 by personal_cloud

I have a trusted html file containing a script that handles sensitive information. When I open it in Chrome 108 on Android, it says:

What is this about?
The above warning seems to appear independently of the method that file.html uses for… Continue reading How does an attacker modify local files when I access them in Chrome?→

javascript: how to apply block cipher to byte stream

Posted on December 24, 2022 by personal_cloud

I am writing browser javascript that has a pre-shared key with nonce, and creates a binary websocket connection. How can I apply block encryption-authentication such as AES-GCM to the messages?
Is it possible to tell the browser to skip th… Continue reading javascript: how to apply block cipher to byte stream→

Javascript: How to check SHA of fetched script before executing

Posted on December 23, 2022 by personal_cloud

To save money and/or reduce system complexity, I am hosting a script on a server that I don’t fully trust. My trust issue might be with the server itself, or the PKI setup on it. The reason doesn’t matter exactly, because we can just check… Continue reading Javascript: How to check SHA of fetched script before executing→

Javascript: How to check SHA of fetched script before executing

Posted on December 23, 2022 by personal_cloud

Javascript: How to check SHA of fetched script before executing

Posted on December 23, 2022 by personal_cloud

How to build a PSK website

Posted on December 3, 2022 by personal_cloud

Pre-Shared Key (PSK) with simple symmetric encryption is a popular way of solving both client and server authentication when SSL cannot be used for some reason (for example, can’t trust or deal with certificate management, or even SSL not … Continue reading How to build a PSK website→

Can an SSH server in password mode be impersonated if I ignore the fingerprint warning?

Posted on December 3, 2022 by personal_cloud

Assume that I never check the server fingerprint when logging in to an SSH server. This means that certain configurations of SSH can be impersonated. For example, I can log into a server that only has my public key. Obviously this doesn’t … Continue reading Can an SSH server in password mode be impersonated if I ignore the fingerprint warning?→

How can non-root intercept privileged loopback ports?

Posted on December 3, 2022 by personal_cloud

Please walk through how an attacker can intercept Chrome’s connection to 127.0.0.1:999, as suggested by the warning below.

This warning is consitently displayed across many versions of Chrome in many OSes.
When I click the "learn mor… Continue reading How can non-root intercept privileged loopback ports?→