Communicate between browser and client application on localhost

Question

I'm currently developing a Website that requires direct access to the client computer. Therefore I decided to split this project in this three main parts.

There are some requirements that have to apply

• The Website has to use SSL everywhere because sensitive user data is exchanged with the API
• The connection between the website and the client application has to be over localhost because a lot of data is exchanged that shouldn't be handled by an external server

Currently I'm using websockets to provide the connection between the website and the client application. This results in the problem that the websocket connection has to be SSL secured too because an unsecured connection is rejected.

Therefore I'm installing a self signed localhost cert on the client machine to be able to connect between the website and the client application. This is really dirty and not a preferable solution. Now I'm searching for a new solution for this problem.

Sadly I cannot start a websocket server out of angular. This would resolve the problem with the certificate. I'm curious how Battlelog is doing this. According to this answer the plugin is using windows named pipe. This sounds interesting but I'm unsure whether I could use them in this scenario.

Is there a possibility to solve this problem?

Answer 1

Finally I've found a solution.

Strangely it is possible to route a subdomain to 127.0.0.1 Getting a trusted cert for this subdomain is possible and therefore the connection is trusted.

Answer 2

Odds are, Battlelog is still using a certificate. It's just signed by a third party certificate authority, instead of self signed. The best solution is probably to get your Certificate signed by a trusted Certificate Authority.

Your client application has to be sure that it's connected to the right server, instead of an impostor. In order to do that, you'll probably just need to have a certificate, even if it's self signed.

I'm not positive, but since you're the one making the client side application, you might be able to bundle the your certificate's hash with your application, and check that against the server when you run it.