ASP.net Core Middleware


DEllner

Member
Aug 24, 2019
7
0
Not sure why the GRC client takes over from the browser plugin that a question for @Jaap and @Steve to explain (although not best practice you can turn off the gray overlay thing in GRC's client and use the browser one instead then or cancel the GRC client).

You will always get the screen you attached with GRC's client as its a warning @Steve wanted to add in for users to make them careful.

I look forward to finding out about your projects integration please do keep me posted and any help I'm happy to assist
I can see the browser plugin respond to in the background under the GRC client. Neither one is aware of the other so this is working as it should. What concerns me though is the lack of consistency between clients.

I don't think I should be getting the "NO Identity Spoof Protection" warning. I don't get it when logging into this forum. I started using the https://github.com/mikevh/sqrl project as a base for my website. This project seems to work for basic authentication, but lacks the other features and hasn't been updated in several months. I don't get the warning for my website.

My main skill set is SQL Server Administration. I used to do some old-school ASP then web forms in ASP.NET so I picked up a gig between jobs to create an MVC website so I'm still pretty green with this MVC middleware thing. I'll help out where I can.
 

DEllner

Member
Aug 24, 2019
7
0
0.8.1 has now been published to the NuGet package repository this should be a small fix for the content type issue @DEllner highlighted yesterday
You must have updated your website w/ the new build. The IOS client now works using the QR code and using Chrome browser for IOS.

The GRC client still doesn't take over using Chrome browser and still get a the warning from GRC client when using Edge.
 
I don't think I should be getting the "NO Identity Spoof Protection" warning. I don't get it when logging into this forum.
Interesting I do get the warning everywhere with GRCs client ⁉

The project you highlighted is very basic and I assumed to be dead and the nuts in my opinion are not correct although crypot safe random they could duplicate my implementation tries to reduce that by using date time to a high frequency. Also I created SqrlForNet as I wanted a NuGet package so i can use it over and over.

I'm not sure why you don't get it for your own sites I would be interested to see some network logs or for SqrlForNet there is a nice ?diag page you can go to which will wipe every time the server restarts. Also in the GRC client there are some options (see second image) what are yours set to for the identity your using?
 

Attachments

  • GRC No spoof.PNG
    GRC No spoof.PNG
    98.3 KB · Views: 1
  • SQRL GRC Client options.PNG
    SQRL GRC Client options.PNG
    2.3 KB · Views: 1
You must have updated your website w/ the new build. The IOS client now works using the QR code and using Chrome browser for IOS.

The GRC client still doesn't take over using Chrome browser and still get a the warning from GRC client when using Edge.
Yeah as soon as the package is live my website gets patched which is about 5 minutes cycle time.
The forum admin must of only approved your message at the same time as m last so ill let you respond to that but glad the iOS client works now
 

Jaap

Member
May 20, 2018
13
2
Not sure why the GRC client takes over from the browser plugin that a question for @Jaap and @Steve to explain
The WebExtension only stops the native "link following" when you click on a sqrl:// link (with evt.preventDefault()), it does not attempt to stop any other javascript event handlers from working.
So if your javascript has an onclick handler attached to the anchor it will run before the WebExtensions' onclick handler or after it.
 

DEllner

Member
Aug 24, 2019
7
0
Hey @Jaap, did you see earlier in the conversation that the Chrome web extension doesn't have the same spoof warning as the GRC client? Is this a bug?
 

Jaap

Member
May 20, 2018
13
2
Wait... would you expect a Spoof warning?
If so on what grounds?
How can i reproduce that case?
 

Jaap

Member
May 20, 2018
13
2
@TechLiam on what grounds should my client trigger a spoof warning for your site?
My requests to https://www.liamraper.me.uk/login-sqrl?nut=XXXX return a tif=00000005 which i interpret as tif=5 which is 1 + 4, ID_MATCH + IP_MATCH.
That was my thinking as well as the Id is a new one I say it matches as I allow creation of users and your IP will match as your on the same public network. The GRC client seams to not send CSP in opts unless you do the .gif image request to it where as if I remember from my testing of the Firefox (I haven't been able to do chrome yet) plugin you send it anyway as you know your on the browser so has to be the same device or that why I assumed you did that
 
Well that is very interesting so to summarise on my end what i have figured out

To stop the spoof warning in the GRC client you have to make the http://localhost:25519/*.gif query (which i knew already just was having issues with CORS https://sqrl.grc.com/threads/the-ht...ry-and-cors-same-origin-same-site-policy.910/). After the help @Jaap gave me on the thread https://sqrl.grc.com/threads/the-ht...ry-and-cors-same-origin-same-site-policy.910/ now using the following code
JavaScript:
var gifProbe = new Image();
gifProbe.onload = function() {
    // e.getAttribute("sqrl-href") is the base64 URL
    document.location.href = "https://localhost:25519/"+ e.getAttribute("sqrl-href");
};
gifProbe.onerror = function() {
    setTimeout( function(){ gifProbe.src = "https://localhost:25519/" + Date.now() + '.gif';    }, 250 );
};
gifProbe.onerror();

When you click the login link in FireFox/IE/Edge it will not show the spoof message.
When you click the login link in Chrome it will show the spoof message this is due to Chrome blocking the image request (see attacked GRC spoof failing.png)

As can be seen in the FireFox screenshot the image request is successful and when i enter my password it logs me in with out a spoof warning where as Chrome is showing the warning screen.

I have tried http/https and sqrl for the schemes for the image request but all fail in the same way I have updated the custom login page example in the repo here https://github.com/TechLiam/SQRL-For-Dot-Net-Standard/tree/master/Examples/CustomLoginPage with this change as it working in most of the browsers.

It was interesting that Chrome failing on the GRC diagnostics page.

The screenshots are of the GRC site as that was the best way for me to ensure we all have a clean testing bed for working this issue out but the example site in the middlewares repo also have the same result

I have also updated my personal website to use the gif query as well which works well for my FireFox/IE/Edge as far as login goes
 

Attachments

  • Firefox success.PNG
    Firefox success.PNG
    97.7 KB · Views: 7
  • GRC spoof failing.PNG
    GRC spoof failing.PNG
    121.9 KB · Views: 7
Last edited:
Having look into this some more it seams my Chrome browser might be doing some HSTS stuff so forcing the .gif request to be over HTTPS which the GRC client is not to respond to (rightly as its not a secure connection there would be no cert).

In Postman I can make the request to http://localhost:25519/*.gif and get 200 OK back but to https://localhost:25519/*.gif i get a long long time waiting which results in a time out in a browser.
 
Ok I'm happy to call it a local issue unless anyone else reports issues with this but it probably to do with my computerate controlled Chrome as i just started an Azure VM that i have and installed Chrome and GRC's SQRL client and looking in developer tools for that it is successful in the image request for my personal site so works as @DEllner highlighted it should.

I would have not noticed this as my testing in Chrome was always showing the spoof message just shows testing every browser is not everything you should do I will be doing more testing on that VM from now on in.
 
  • Like
Reactions: DEllner