From user-return-4824-archive-asf-public=cust-asf.ponee.io@guacamole.apache.org Sat Dec 8 03:51:04 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 3DBD0180647 for ; Sat, 8 Dec 2018 03:51:04 +0100 (CET) Received: (qmail 32510 invoked by uid 500); 8 Dec 2018 02:51:03 -0000 Mailing-List: contact user-help@guacamole.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@guacamole.apache.org Delivered-To: mailing list user@guacamole.apache.org Received: (qmail 32500 invoked by uid 99); 8 Dec 2018 02:51:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 08 Dec 2018 02:51:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id C06BACC841 for ; Sat, 8 Dec 2018 02:51:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 4.485 X-Spam-Level: **** X-Spam-Status: No, score=4.485 tagged_above=-999 required=6.31 tests=[DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, NML_ADSP_CUSTOM_MED=1.2, SPF_HELO_PASS=-0.001, SPF_SOFTFAIL=0.972, URI_HEX=1.313] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id ga-Yr1MmKUit for ; Sat, 8 Dec 2018 02:51:01 +0000 (UTC) Received: from n4.nabble.com (n4.nabble.com [199.38.86.66]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id A88825F643 for ; Sat, 8 Dec 2018 02:51:00 +0000 (UTC) Received: from n4.nabble.com (localhost [127.0.0.1]) by n4.nabble.com (Postfix) with ESMTP id 31EE2383EC75 for ; Fri, 7 Dec 2018 20:51:00 -0600 (CST) Date: Fri, 7 Dec 2018 20:51:00 -0600 (CST) From: eunosm3 To: user@guacamole.apache.org Message-ID: <1544237460150-0.post@n4.nabble.com> Subject: HTTPS or Not? How Does Your Browser ID a Secure Connection MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit tl;dr : Your browser's address bar may give you the wrong idea about whether you've connected with HTTP or HTTPS. Take 5 seconds to check why you don't have a secure connection before you hack away on config files. If your Guacamole deployment doesn't seem to connect securely even if you're sure you've set everything up correctly, you may not have a problem at all. Browsers indicate the security level of your connection to a site in different ways. As of Dec 2018, for instance, Chromium / Chrome visually distinguishes between an unsecured HTTP site, an HTTPS site with a certificate signed by a Certificate Authority and an HTTPS site using a self-signed certificate. An HTTP site will have the words 'Not secure' to the left of the website address, while an HTTPS site with a CA-signed certificate will have a green padlock symbol. An HTTPS site using a self-signed certificate, however, will have a red triangle w/ an exclamation mark to the left of the address with the 'https' portion of the address in red and struck through. Opera, in contrast, only visually distinguishes between a CA-signed HTTPS site and other types of sites. The first type of site will show a green padlock like Chromium / Chrome, but all others will simply have the words 'Not secure' to the left of the address bar. Opera does show a pop-up to warn you about the self-signed certificate when you first visit it. However, the browser silently ignores the self-signed certificate on subsequent visits to the site if you 'Continue Anyway'. In addition, Opera does not display the 'http://' or 'https://' portion of a website's address. These behaviors matter if a) you use Opera or a browser that behaves like Opera; and, b) you make an exception for your Guacamole website, that is, you 'Continue Anyway', during development and then forget you did so at some later point, as I did. I wasted several hours of my life trying to figure out why my properly-configured Guacamole setup did not provide the expected HTTPS connection. In reality, I *did* have an HTTPS connection, but Opera only displayed 'Not secure'. Eventually, I tried connecting with Chromium, which is when I noticed the differences described above. Both browsers will provide more information if you click on the area to the left of the address bar. In both cases, the browsers told me that my Guac site wasn't trusted because of the self-signed certificate, but only Chromium provided a visual clue. -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/