guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From eunosm3 <>
Subject HTTPS or Not? How Does Your Browser ID a Secure Connection
Date Sat, 08 Dec 2018 02:51:00 GMT
tl;dr : Your browser's address bar may give you the wrong idea about whether
you've connected with HTTP or HTTPS.  Take 5 seconds to check why you don't
have a secure connection before you hack away on config files.

If your Guacamole deployment doesn't seem to connect securely even if you're
sure you've set everything up correctly, you may not have a problem at all. 
Browsers indicate the security level of your connection to a site in
different ways.  As of Dec 2018, for instance, Chromium / Chrome visually
distinguishes between an unsecured HTTP site, an HTTPS site with a
certificate signed by a Certificate Authority and an HTTPS site using a
self-signed certificate.  An HTTP site will have the words 'Not secure' to
the left of the website address, while an HTTPS site with a CA-signed
certificate will have a green padlock symbol.  An HTTPS site using a
self-signed certificate, however, will have a red triangle w/ an exclamation
mark to the left of the address with the 'https' portion of the address in
red and struck through.  

Opera, in contrast, only visually distinguishes between a CA-signed HTTPS
site and other types of sites.  The first type of site will show a green
padlock like Chromium / Chrome, but all others will simply have the words
'Not secure' to the left of the address bar.  Opera does show a pop-up to
warn you about the self-signed certificate when you first visit it. 
However, the browser silently ignores the self-signed certificate on
subsequent visits to the site if you 'Continue Anyway'.  In addition, Opera
does not display the 'http://' or 'https://' portion of a website's address.  

These behaviors matter if a) you use Opera or a browser that behaves like
Opera; and, b) you make an exception for your Guacamole website, that is,
you 'Continue Anyway', during development and then forget you did so at some
later point, as I did.  I wasted several hours of my life trying to figure
out why my properly-configured Guacamole setup did not provide the expected
HTTPS connection.  In reality, I *did* have an HTTPS connection, but Opera
only displayed 'Not secure'.  Eventually, I tried connecting with Chromium,
which is when I noticed the differences described above. 

Both browsers will provide more information if you click on the area to the
left of the address bar.  In both cases, the browsers told me that my Guac
site wasn't trusted because of the self-signed certificate, but only
Chromium provided a visual clue.

Sent from:

View raw message