How to use a secure WebSocket-Connection for a local client

Question

I need informations about security risks and proof of concepts to work with an local client.

In my option, a user will install two components:

1. The game client
2. The client launcher

The launcher is running as an background process all the time. The launcher provides an WebSocket server. The user will open my website to start the game (with game-server lists and other settings). The Website connects to the game launcher to handle all actions (change configuration, start the game executable)..

Problem:

How realize the communication with the website and the game launcher? Okay, Websockets, yes. But browsers forbid to connect to localhost/127.0.0.1 by security reason.

An fake-pointer as DNS or hosts-file to an subdomain like local.game.tld is bad, because SSL-Certificates can be revoked here as bad usage.

Another idea was to provide an NPAPI-Plugin for the browser. But it seems, that the NPAPI is deprecated and useless for the future.

Whats the best practice to communicate between webpages and local installed software?

Answer 1

But browsers forbid to connect to localhost/127.0.0.1 by security reason

This isn't true. Browsers allow you to connect to localhost / 127.0.0.1. I do it all the time on my machine.

The issue is that TLS (wss://localhost, not ws://localhost) requires a certificate and browsers forbid mixed content (you can't have an https website load non-encrypted resources).

fake-pointer as DNS or hosts-file to an subdomain like local.game.tld is bad, because SSL-Certificates can be revoked here as bad usage.

As part of your game installer you could create a hosts file entry with a certificate for mygame.localhost (possibly using a local script) and then ask the player to authorize the installation of the certificate using their password. This way your certificate won't be revoked... but you are right that this his suboptimal.

EDIT: also, please note that the domain name must be at the end, not at the beginning (i.e., game.localhost and not localhost.game).

Whats the best practice to communicate between webpages and local installed software?

Generally speaking, if your game is installed on the local machine, there's no need to encrypt the communication between the local browser and the local machine.

You can easily write your local server to accept only connections from the local machine (or, at worst, if need be, accept connections from the local area network - though this adds security risks).

Your webpage and WebSocket data can be sent "in the clear" (ws:// and http://) between the local server and the browser since they are both on the same machine - this way you don't need a browser. The local server would initiate (as a client) any encrypted connection it needs when communicating with an external service (was:// / https://).

EDIT (from the comments):

There are the only 2 solutions I know of:

1. Installing a self-signed certificate; or

2. Using http instead of https and having the server handle outside traffic as if it were a client (so all traffic going outside is encrypted).