Need to inject script onto third-party website-- best tool?



  • @heterodox said in Need to inject script onto third-party website-- best tool?:

    You can do this in Internet Explorer by clicking the lock icon,

    You've already lost me, IE11 as no lock icon when I visit Localhost. (Presumably it's saying it's not rejecting the website but since it's a self-signed cert it's also not deserving of a padlock? Just guessing.)

    @heterodox said in Need to inject script onto third-party website-- best tool?:

    If you want to generate a new self-signed certificate and trust it,

    I'll see if this set of steps works.

    @heterodox said in Need to inject script onto third-party website-- best tool?:

    Open mmc, add Certificates snap-in to manage certificates for Computer account, Local computer.

    Or just open certmgr directly and bypass MMC. (Gasp! Blakeyrat knows computar mechines!?)


  • :belt_onion:

    @blakeyrat said in Need to inject script onto third-party website-- best tool?:

    Or just open certmgr directly and bypass MMC. (Gasp! Blakeyrat knows computar mechines!?)

    Then you'll be in your user stores and not the computer stores (gasp, I do too), and I'm pretty sure you can't switch it. You need to select Computer account before the snap-in is added (your root should be Certificates - Local Computer vs. Certificates - Current User).


  • :belt_onion:

    @blakeyrat said in Need to inject script onto third-party website-- best tool?:

    @heterodox said in Need to inject script onto third-party website-- best tool?:

    You can do this in Internet Explorer by clicking the lock icon,

    You've already lost me, IE11 as no lock icon when I visit Localhost. (Presumably it's saying it's not rejecting the website but since it's a self-signed cert it's also not deserving of a padlock? Just guessing.)

    Self-signed certificates do get a padlock if they're trusted (that's what my test above showed) but if you bypassed a warning you may not get one; I dunno. You can also copy (Ctrl+drag) the certificate from Personal > Certificates into Trusted Root Certification Authorities > Certificates once you open the computer stores in mmc. That may be the easiest thing for you to do-- just trust the certificate IIS already generated.



  • @heterodox said in Need to inject script onto third-party website-- best tool?:

    Then you'll be in your user stores and not the computer stores (gasp, I do too), and I'm pretty sure you can't switch it.

    ... why is that important? I don't need this to work for users other than myself, and it seems like making it specific to my user is slightly more secure than for the entire computer. Unless there's some technical reason you need to do that.

    I exported it and imported it into IIS, but Edge still says the certificate's domain name doesn't match the address bar's, even though both are localhost. And localhost still has no lock icon.

    I swear the nerds who invented SSL went out of their way to make it as difficult and annoying as possible. God forbid a non-PhD wants his browser to trust his own computer!


  • :belt_onion:

    @blakeyrat said in Need to inject script onto third-party website-- best tool?:

    ... why is that important? I don't need this to work for users other than myself, and it seems like making it specific to my user is slightly more secure than for the entire computer. Unless there's some technical reason you need to do that.

    It's important if you're generating a certificate request because you're describing a different type of entity. If you're in your own user stores, Personal > Certificates contains identity certificates, encryption certificates, e-mail signing certificates, PIV certificates, etc. If you're in the computer stores, Personal > Certificates contains the certificates used for server authentication, client authentication, etc.

    These things may not be intuitive at first glance but there is reason behind them. It's hard to find that reason if you're automatically hostile towards something that doesn't match your intuition. Just saying.

    I exported it and imported it into IIS, but Edge still says the certificate's domain name doesn't match the address bar's, even though both are localhost. And localhost still has no lock icon.

    That doesn't make a lot of sense to me. Might want to bounce IIS in case it's using the old certificate? If that's not the case, I would check Network in F12 Developer Tools to see if perhaps there's some code that's trying to load from a fully-qualified domain name or something. I just tested with an Apache "It works!" page but more complex applications require more complex configurations. You may have to add subject alternative DNS names to your certificate for all the host names that may be used in requests (luckily, that's about 1000x times easier through certmgr.msc than through OpenSSL, which is why that's how I generate certificate requests).

    I swear the nerds who invented SSL went out of their way to make it as difficult and annoying as possible. God forbid a non-PhD wants his browser to trust his own computer!

    Mmm. Not sure I agree but I sympathize.



  • @heterodox said in Need to inject script onto third-party website-- best tool?:

    These things may not be intuitive at first glance but there is reason behind them. It's hard to find that reason if you're automatically hostile towards something that doesn't match your intuition. Just saying.

    I'm automatically (and justifiably) hostile towards all software that gives me a shitty user experience. This is a shitty user experience. This software is bad, it makes me feel bad when I have to use it, and the people who designed it should feel bad about their creation. Fortunately I'm used to it by now.

    I'm sure there's "a reason" behind all of this, that doesn't make it intuitive or discoverable.

    Anyway I deleted the old cert and started over in the Local Computer store and still no worky. I restarted IIS and Edge, Edge still shows me "the certificate's domain doesn't match the site's domain" or that but worded worse.

    @heterodox said in Need to inject script onto third-party website-- best tool?:

    That doesn't make a lot of sense to me.

    You and me both.

    @heterodox said in Need to inject script onto third-party website-- best tool?:

    If that's not the case, I would check Network in F12 Developer Tools to see if perhaps there's some code that's trying to load from a fully-qualified domain name or something.

    It's a test page I created that only has one external resource, an image in the same directory. So that's not it.

    @heterodox said in Need to inject script onto third-party website-- best tool?:

    I just tested with an Apache "It works!" page but more complex applications require more complex configurations.

    This is the opposite of a complex application.

    0_1498582510329_Untitled.png

    So I'm stumped.


  • :belt_onion:

    @blakeyrat said in Need to inject script onto third-party website-- best tool?:

    This is the opposite of a complex application.

    Understood.

    So I'm stumped.

    What does the drop-down say when you click "Not secure" in the address bar of Chrome?

    (Also, I'm trying to think of how to take this diagnosis process out-of-band so as to not generate too much noise in the forums, but I don't have access to many other systems at work.)



  • @heterodox said in Need to inject script onto third-party website-- best tool?:

    What does the drop-down say when you click "Not secure" in the address bar of Chrome?

    Chrome's a bad example because I haven't restarted it since starting these cert shenanigans.

    Here's the error given my Edge in its entirety:

    This site is not secure
    
    This might mean that someone’s trying to fool you or steal any info you send to the server. You should close this site immediately.
    
    
    Go to your Start page
    Details 
    
    Your PC doesn’t trust this website’s security certificate.
    The hostname in the website’s security certificate differs from the website you are trying to visit. 
    Error Code: DLG_FLAGS_INVALID_CA
    DLG_FLAGS_SEC_CERT_CN_INVALID
    Go on to the webpage (Not recommended)
    

    Internet Explorer shows a mostly identical error:

    This site is not secure
    
    This might mean that someone’s trying to fool you or steal any info you send to the server. You should close this site immediately.
    
    
    
    Recommended iconClose this tab
    
    
    
    More information  More information  
    
    
    Your PC doesn’t trust this website’s security certificate.
    The hostname in the website’s security certificate differs from the website you are trying to visit. 
    Error Code: DLG_FLAGS_INVALID_CA
    DLG_FLAGS_SEC_CERT_CN_INVALID
    
    Not recommended iconGo on to the webpage (not recommended)
    

    They both say both "invalid Certificate Authority", and "CN Invalid".


  • :belt_onion:

    @blakeyrat said in Need to inject script onto third-party website-- best tool?:

    They both say both "invalid Certificate Authority", and "CN Invalid".

    I just looked it up and there's apparently no way to view the server certificate in Edge. What in the fucking fu--?!

    In IE, if you bypass the warning, do you not see a lock icon in the address bar? It's important to see what certificate the server's actually sending vs. what certificate you generated/selected in inetmgr. I'd show you how to get that information using openssl s_client... but suspect that wouldn't go over so well. ;)

    I think we should try to get rid of the errors one at a time, starting with the invalid CN, since that's the easiest.



  • @heterodox said in Need to inject script onto third-party website-- best tool?:

    In IE, if you bypass the warning, do you not see a lock icon in the address bar? It's important to see what certificate the server's actually sending vs. what certificate you generated/selected in inetmgr.

    Oh that's weird.

    It pretty much needs to be entirely obfuscated here, but it's basically:

    MyName.CompanyCity.Company.com

    So the problem's in IIS somewhere... I'll dig in.



  • @blakeyrat Oop, I'm a derp.

    Added the cert to IIS but forgot to bind it to the website. (Or, rather, assumed IIS would do that automatically since the old cert was deleted and only one was available. But I guess it'd be a security feature not to.)

    It's working in the MS browsers now. Let me close this forum and restart Chrome to ensure it works there.



  • Still a no-go on Chrome, and I can't figure out how to get Chrome to tell me what (it thinks) the certificate looks like. Hm. The fact that the MS browsers work, and Chrome also pulls from the OS cert store, might just mean I'm a victim of caching. Even though I did close Chrome entirely and restart it...

    BTW, thanks for your help on this, I 100% understand that I have very little patience with crappy software. Unfortunately, the only career I'm actually good at requires using crappy software pretty much 9-5, Monday to Friday. I'd be so much happier hauling garbage.

    Chrome's console says:

    This site does not have a valid SSL certificate! Without SSL, your site's and visitors' data is vulnerable to theft and tampering. Get a valid SSL certificate before releasing your website to the public.

    Not very helpful guyz.


  • :belt_onion:

    @blakeyrat said in Need to inject script onto third-party website-- best tool?:

    MyName.CompanyCity.Company.com

    Ah. IIS generates a certificate for your fully-qualified domain name by default and doesn't include localhost as an acceptable subject alternative name because that would be bad for production. On the other hand, if the name it has on the certificate is a valid DNS name and you can access IIS using that name instead of localhost, that'll take care of the invalid CN and copying the certificate from Personal > Certificates to Trusted Root Certification Authorities > Certificates in the computer stores should take care of the invalid issuer.



  • @heterodox said in Need to inject script onto third-party website-- best tool?:

    Ah. IIS generates a certificate for your fully-qualified domain name by default and doesn't include localhost as an acceptable subject alternative name because that would be bad for production.

    Yeah, this is what you get if your site has a certificate, then you remove that certificate from IIS. It serves up this one instead. Weirdly, if you tell IIS to list the certificates it knows about, this one doesn't show up. Because that might, you know, not be confusing as fuck and we can't have that.

    I wonder if Chrome is barfing because I still have the "don't check security on localhost" setting turned on... that would be weird, but who knows.

    EDIT: Nope, but at least it gives me an error message now:

    NET::ERR_CERT_COMMON_NAME_INVALID


  • :belt_onion:

    @blakeyrat said in Need to inject script onto third-party website-- best tool?:

    Weirdly, if you tell IIS to list the certificates it knows about, this one doesn't show up. Because that might, you know, not be confusing as fuck and we can't have that.

    It might not show up because I simplified the instructions and omitted the key usage and extended key usage extensions so the resultant certificate would be trusted for all application and issuance policies. It's possible it wants a strict TLS server-only certificate. You could try generating the certificate again with key usage digital signature, key encipherment and extended key usage Server Authentication, or you could try using the certificate it's giving to you and just copying it to the Trusted Root Certification Authorities store so it's trusted.



  • @heterodox said in Need to inject script onto third-party website-- best tool?:

    It might not show up because I simplified the instructions and omitted the key usage and extended key usage extensions so the resultant certificate would be trusted for all application and issuance policies.

    ?

    I'm talking about IIS now. The IIS "Server Certificates" configuration page doesn't show the cert named after my company domain account, even though it was serving up that cert on a website. I was just saying that's very extremely confusing on IIS' part (in keeping with the theme of everything SSL related being as horrible and painful as humanly possible).

    Anyway:

    It looks like Chrome was recently (~ 2 versions ago) updated to not match domains against the CN field anymore. Instead it matches against the "Subject Alternative Name" field. Naturally, they didn't update the error message (in keeping with the theme of everything SSL related being as horrible and painful as humanly possible), so it's confusing the bejeesus out of everybody.


  • :belt_onion:

    @blakeyrat said in Need to inject script onto third-party website-- best tool?:

    I'm talking about IIS now. The IIS "Server Certificates" configuration page doesn't show the cert named after my company domain account, even though it was serving up that cert on a website. I was just saying that's very extremely confusing on IIS' part (in keeping with the theme of everything SSL related being as horrible and painful as humanly possible).

    Oh, that's strange. Does it show the localhost option? And even though the localhost option is selected, it's serving the other certificate? That's bizarre. And unfortunately out of my realm of experience.

    It looks like Chrome was recently (~ 2 versions ago) updated to not match domains against the CN field anymore. Instead it matches against the "Subject Alternative Name" field. Naturally, they didn't update the error message (in keeping with the theme of everything SSL related being as horrible and painful as humanly possible), so it's confusing the bejeesus out of everybody.

    Hmmm. So, the relevant spec says that the common name should be checked first, but if the subject alternative name extension is present, it should take precedence over the common name. I didn't add a subject alternative name extension to my localhost certificate and Chrome matched the common name correctly... though it's always possible that it's an older version.

    I feel like you're chasing red herrings a little here, though, to be honest. You're trying to use the cert issued for the FQDN while making requests using https‌://localhost/, and that will never work. The cert IIS is using needs to be changed, or your requests need to change; either or.



  • @heterodox said in Need to inject script onto third-party website-- best tool?:

    Oh, that's strange. Does it show the localhost option?

    It did, but the localhost certificate that IIS had stored wasn't being served by the site.

    @heterodox said in Need to inject script onto third-party website-- best tool?:

    And even though the localhost option is selected, it's serving the other certificate?

    No; I deleted the old IIS self-signed cert and installed this new one we created an hour ago. I naively wasn't thinking and figured since IIS had only one cert listed it'd serve it to SSL-enabled sites by default.

    What IIS did instead is remove (according to its UI) all certificates on the site, so the site was saying "serve to port 443, the security certificate to use is <none selected>"

    Despite that, it was serving up a secret hidden security cert that shows up nowhere in the IIS UI, AFAICT.

    @heterodox said in Need to inject script onto third-party website-- best tool?:

    That's bizarre.

    No shit.

    @heterodox said in Need to inject script onto third-party website-- best tool?:

    Hmmm. So, the relevant spec says that the common name should be checked first, but if the subject alternative name extension is present, it should take precedence over the common name.

    Right; I looked up the bug in Chrome where they made this change and there were a couple people saying "uh guyz? This puts you in violation of the RFC, you know that right?" (IIRC RFC 2818.)

    The Chrome devs were like, "we don't care! Fuck you and all you! Also we're not going to change the error message because we don't give a shit about developers encountering this error either!" then they revved their Harleys and raced away while flipping the bird. I imagine.

    @heterodox said in Need to inject script onto third-party website-- best tool?:

    You're trying to use the cert issued for the FQDN while making requests using https‌://localhost/, and that will never work.

    Dude, I don't even know what a "FQDN" is.

    AFAIK, the only problem now is: I set up the cert exactly as you described, IE and Edge work fine, but Chrome is bitching because when we set it up we didn't specify a "Subject Alternative Name" whatever that is. Chrome's technically in the wrong, but that doesn't help me get rid of the lock icon.

    Meanwhile, Firefox lets me bypass all of this bullshit once and for all by just clicking "allow" and "add exception" no matter how the self signed cert was made, and honestly it's quickly becoming my favorite browser. Even though it's also technically in the wrong for not using the OS' cert store.


  • FoxDev

    @blakeyrat said in Need to inject script onto third-party website-- best tool?:

    Dude, I don't even know what a "FQDN" is.

    Fully-qualified domain name



  • @raceprouk said in Need to inject script onto third-party website-- best tool?:

    Fully-qualified domain name

    Oh. Well then I do know exactly what it is, I've just never heard anybody call it a "FQDN" before.


  • :belt_onion:

    @blakeyrat said in Need to inject script onto third-party website-- best tool?:

    IE and Edge work fine

    Oh. When did that happen?

    @blakeyrat said in Need to inject script onto third-party website-- best tool?:

    I set up the cert exactly as you described, IE and Edge work fine, but Chrome is bitching because when we set it up we didn't specify a "Subject Alternative Name" whatever that is.

    I can walk you through that (it's on the Subject tab, under the full DN name you added), but I wouldn't blame you if after beating IIS into serving the right cert you just wanted to leave it alone.



  • 0_1498586750500_Untitled.png

    I have defeated Chrome. Look upon my green padlock and bow, mortals!



  • @heterodox said in Need to inject script onto third-party website-- best tool?:

    Oh. When did that happen?

    I told you when it did, you've been skimming.

    Anyway now I have it working in all 4 browsers installed on this computer, at least until a year passes and the cert expires or until I get this laptop replaced because it has flaky wifi. EDIT: and I just got an email that the replacement might be ready Friday, so goddamned it I'm going to have to do all this shit again in less than a week. I hate computers.


  • :belt_onion:

    @blakeyrat said in Need to inject script onto third-party website-- best tool?:

    It's working in the MS browsers now.

    Ah, yes, I didn't see this series of posts at all; it was either jellypotatoed or I missed it since I'm on a conference call and doing training all at the same time. Either or. :)

    @blakeyrat said in Need to inject script onto third-party website-- best tool?:

    BTW, thanks for your help on this, I 100% understand that I have very little patience with crappy software. Unfortunately, the only career I'm actually good at requires using crappy software pretty much 9-5, Monday to Friday. I'd be so much happier hauling garbage.

    Not a problem. This is my subject matter expertise, but I recognize it's not easy for everyone, and I likewise sometimes think about just shutting everything down and moving to Alaska and raising alpacas or something.

    EDIT: and I just got an email that the replacement might be ready Friday, so goddamned it I'm going to have to do all this shit again in less than a week. I hate computers.

    Eh, maybe not all of it. You could export the certificate to a PKCS12 file and import it into the new computer. Or it might be easier to generate a new one. 🤷



  • @heterodox said in Need to inject script onto third-party website-- best tool?:

    but I recognize it's not easy for everyone,

    You have not achieved enlightenment until you realize it's not easy for anyone.



  • This post is deleted!


  • @blakeyrat said in Need to inject script onto third-party website-- best tool?:

    Ugh. This guy can't type and I'm trusting him to write development tools for me. Seriously.

    I've fixed that typo which was there since 2013. :-O So it's safe to try Tampermonkey now. ;)



  • Hilarious.

    But you seemed to have missed my point: I want to use software written by people who demonstrate attention-to-detail, so I can get at least some impression that it's been even slightly tested. (Which, here in 2017, virtually no software is tested by anybody ever.) If I see the tip of an iceberg, and it looks like whale piss, I'm not going to trust that the 2/3rds of the iceberg underwater is clear and pure.

    By the way, Chrome's fucking up your mouse position of your addon's menu. It works ok in every other browser, so it has to be a Chrome bug.


Log in to reply