0

Display insecure image and video source in BrightSign XT1143

Sam Cheung

April 20, 2018 04:17

None

Follow

Currently, I am using BrightSign XT1143 (firmware: 7.0.60) for displaying video and image.

The image source and video source given by my customer are in HTTPS while the certificate is a self-signed certificate.

In addition, it is not possible to get the key file from my customer.

 

Currently, I use "roImagePlayer" and "roVideoPlayer" for display.

However, it seems that these two objects cannot display insecure source.

 

Therefore, I wonder if there is any workaround so that I can display insecure image and video with "roImagePlayer" and "roVideoPlayer", like enabling "insecure_https_enabled" in "roHtmlWidget"?

 

• Facebook
• Twitter
• LinkedIn

9 comments

• 0
  
  Lyndon April 21, 2018 15:34

   

  if the only way to access this site is with a self signed cert, which you don't have access to, I can't think of any way you can display the file on the player. 

• 0
  
  Sam Cheung April 23, 2018 02:45

  Maybe I rephrase the question like this.

   

  The current situation is that the image source and the video source are located in an application server.

  All traffic to that application server will be redirected to HTTPS while the server is using a self-signed certificate.

  However, the image source and the video source are not password protected, that means we can access the sources directly through URL.

   

  We have try to use "roImagePlayer" and "roVideoPlayer" for displaying these URLs (in HTTPS) while nothing have been shown on the player.

   

  I wonder how can we display these resources on the player?

  Are there any methods that can bypass the validation of certificate?

  Or, if we can get the CA certificate from our customer, are there any ways to make the sources to be trusted by the player?

   

  Thanks.

• 0
  
  Keith April 25, 2018 01:58

  I got the same issue on self-sign certificate. My application server HTTPS enabled with self-sign certificate. I have configured insecure_https_enabled in roHtmlWidget. The insecure_https_enabled seems only applied to HTML page but video and image cannot display due to HTTPS issue. However we can resolved by trusted public certificate.

  My XT1143 firmware is 7.0.60

  1. May I know the support level of the self-sign certificate

  2. May I know the setting to ignore the self-sign certificate like insecure https for video and image

  3. How can I import CA certificate to XT1143

   

  I currently having a customer case on this issue. May I got the answer to resolve self-sign HTTPS issue.

  Many thanks.

• 0
  
  JRB Technical April 25, 2018 04:20

  How often do these files change?

  Maybe not the best solution, but do you have easy access to another web server? You could set up a simple script/cron job on another server, that copies the files and then serves them as HTTP so you can access them from the BrightSign.

  This is becoming more of an issue, where many are rushing to deploy HTTPS, but using self signed certificates instead of using better certificates for SSL/TLS (like the free Let's Encrypt certificates).  This is one of the reasons I still run my content servers with separate HTTP and HTTPS spaces, and most content is still served as HTTP unless it really needs to be HTTPS for security reasons.

• 0
  
  Sam Cheung April 25, 2018 04:35

  Thanks for your reply, JohnLBV.

   

  However, as stated above, the server is provided by my customer.

  Therefore, it is not possible for me to change the certificate of the application server.

   

  In addition, my customer wants to keep the connection as HTTPS, but not HTTP.

  So, using another HTTP server may not be an acceptable solution to my customer.

   

  I wonder if there is no solution (by BrightScript) at this moment to bypass the validation of certificate for "roImagePlayer" and "roVideoPlayer"?

• 0
  
  Keith April 26, 2018 01:03

  thanks JohnLBV

  I got your point. As the network connected signage box, it is ideally using network to steaming content from server.

  I know HTTP is the most easy way to solve the problem but using self-sign certificate in company internal network is very common practice.

   

  Does it mean that brightsign XT1143 ONLY support trusted public certificate without any ways to ignore or bypass self-sign certificate warning.

   

• 0
  
  JRB Technical April 26, 2018 21:50

  It's a double edged sword.

  If companies keep creating loopholes for HTTPS content that the browser or hardware consider insecure, then what is the point of using HTTPS?

  Unfortunately more and more now the use self signed keys is considered a bad security practice, even though many still do this.

  I can not speak for BrightSign on this, as it is up to them to determine how far they want to bend the rules for secure content. Companies in general are being more proactive about keeping possible security leaks in hardware like this to a minimum, because hackers often use these exploits to gain access to other devices on the same network.

• 0
  
  Sam Cheung April 27, 2018 08:56

  Since my customer wants us to given them an official answer, I would like to confirm that, at least up to current firmware, there is no solution to bypass the validation of certificate for image sources and video sources?

• 0
  
  Mark Courtenay June 11, 2024 20:29

  Coming to this discussion somewhat late and not really understanding the requirements of the original poster, I'm still interested in the risks of having BrightSign devices on a network where business critical resources are also present. Obviously password protection of BrightSign devices is strongly advisable but realistically what are the risks if password protection is not enforced (in the assumption that rogue publishing of content displayed on some HDMI display device isn't going to cause undue damage to the business)? Or is the scripting language so powerful that an attack can be launched through malicious code running on the BrightSign?