I've just started studying Winsocks and I've a simple question for you: how can I determine if the connection to a server must take place over a HTTP or HTTPS connection?
Let's say I want to connect to randomsite.random, how can I know what kind of connection I need? I know that for HTTP I must connect to port 80, while for HTTPS is needed 443, but how can I determine WHEN is needed a HTTPS connection?
Thank you for the attention!
The same way a web browser decides: Based on the URL you are trying to load. In a web browser, the URL begins with http or https, which is used to determine whether an SSL connection should be used. This is also used to determine the port if no port number is specified in the URL.
Many sites offer both a secure and a non-secure version. Some offer only a secure version, but still run a non-secure server which issues a redirect to the URL of the secure version. If you implement following of redirects, you don't need to worry about which version to use: it will happen automatically.
This is usually a function of the site you are connecting to.
If the site requires a HTTPS connection, then if you connect over HTTP you will get a redirect response code with a HTTPS URL.
Firstly, it's not always port 80 and port 443. Secondly, you won't establish successful communication if you use the wrong communication protocol. As said in another answer, if you try to connect via HTTP to an HTTPS server, it will give you a redirect response code with an HTTPS URL.
Most of the time, you have this information before-hand!
Related
How do I determine (using c++ and winsock) the site protocol based on the URL, for example (www.google.com) if the protocol is not known in advance?
Or how do I determine web server TCP port?
I want do an HTTP get request using the link which after www. and need to determine the port or protocol, in order to use http over tls or simple http.
You can't. You decide the protocol you're going to use to contact some server. If you haven't decided it, you don't know it. Certainly your computer can't tell you what it will be.
It's like asking a supermarket cashier what you're going to buy today. They don't know that. You are supposed to tell them that.
What you can do is to see whether a website on that server automatically redirects HTTP traffic to a HTTPS URI (thus enforcing SSL), or otherwise blocks non-HTTPS traffic. If that's what you want to do, you can achieve it by attempting to make an HTTP connection to that domain and see what happens.
Depending on your web browser make/model/version, that may be what it is doing when you enter "www.google.com" without specifying a protocol: assuming http:// then following any remote redirects that take you to https:// instead. Pretty soon, though, or already if you have certain extensions installed, the default is going to be https://. I must stress though, again, that this is still the client (i.e. the browser) making the decision, not the server; if you are writing your own browser then, again, you must choose what that default should be.
In your example, www.google.com is a domain name.
To get protocol you need full urls like
https://www.google.com or http://www.google.com
In the above example, http and https are protocol types.
You can also use nmap to determine the open ports, service name and protocol used
I'm trying to connect to a domain that seems to have Akamai tech.
I can't connect and nor does curl - but the browser does.
So I assume the IP address is not blocked.
Reading up - it seems that Akamai runs some algorithms and doesn't allow connections sometimes.
But since a web browser works (from same pc) - I assume it can be made to work.
Any tip?
Your question is quite wage. Akami WAF will not allow curl unless you have white-listed your IP address. Browser connect is just TCP connection on port 80, 443. Which http method did you try to access and is that method allowed? By default i believe only GET and POST are allowed.
can the proxy server intercept my https request and set cookies before actually sending the request?
I'm going a GET on an url from chrome browser. In the development tools, under "Network", I noticed that the first request, the one that I made, has cookies set. but I did not set any cookies.
any thoughts?
No it can't. To proxy HTTPS requests your browser issues HTTP CONNECT command (https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/CONNECT). Proxy then creates a tunnel between the browser and a target server.
A conventional proxy can neither view nor manipulate a TLS-encrypted data stream, so a CONNECT request simply asks the proxy to open a pipe between the client and server. The proxy here is just a facilitator - it blindly forwards data in both directions without knowing anything about the contents. The negotiation of the TLS connection happens over this pipe, and the subsequent flow of requests and responses are completely opaque to the proxy.
It cannot modify or see what is being transferred as it is protected by TLS encryption.
The only way to modify HTTPS conenctions on the fly is if you install some external CA certificates on your computer. This is known as MITM Attack.
On the doc Specifying WebSocket authentication details, it did not mention how are passwords being sent from client's authenticate() JS func to server's onWSAuthenticate. Are they being sent through a secure channel? or in plain text?
Side question: what tool / browser / browser's plugin can one use to sniff through websocket's traffic?
Thank you.
username/password sent through authenticate() function is in clear-text. You can actually see that in cfwebsocket.js (its minified so search for authenticate). On server if the call is for authentication, it would invoke onWSAuthenticate() in application.cfc passing whatever username or password given to the function. So the logic of encryption/decryption/validation lies with the developer.
Any TCP monitor can be used for sniffing websocket's traffic like wireshark , TCPMon etc
Mostly just answering to further my own understanding of how this works. From the websocket.org site:
The tunnel is established by issuing an HTTP CONNECT statement to the proxy server, which requests for the proxy server to open a TCP/IP connection to a specific host and port. Once the tunnel is set up, communication can flow unimpeded through the proxy. Since HTTP/S works in a similar fashion, secure WebSockets over SSL can leverage the same HTTP CONNECT technique.
So, if this is what you're asking, it appears that just like with http/https, it's up to the developer to implement SSL encryption, which makes sense.
Sagar Ganatra also has a blog entry on the basics of Websocket Authentication with CF.
I have a web-server written in CPP. I want to determine the server-type of the request. i.e whether the request came from http or https URL ?
If you have your own web-server written in c++ you already know whether it came over http or https as they come through different ports and require different handling.
Which port you're listening to?
By default HTTPS URLs begin with "https://" and use port 443 by default, where HTTP URLs begin with "http://" and use port 80 by default.
There are other questions like how you're managing certificates to serve secure connections?
This article might be helpful - http://java.sun.com/developer/technicalArticles/Security/secureinternet/