0

Noticed that 2 of the major Selenium cloud providers use HTTP basic auth and don't use HTTPS.

I wonder why and what are the security implications of that decision.

SauceLabs

this.driver = new RemoteWebDriver(
  new URL("http://YOUR_USERNAME:YOUR_ACCESS_KEY@ondemand.saucelabs.com:80/wd/hub"),
  capabilities);

BrowserStack

public static final String URL = "http://" + USERNAME + ":" + AUTOMATE_KEY + "@hub.browserstack.com/wd/hub";
Leo Gallucci
  • 16,355
  • 12
  • 77
  • 110

2 Answers2

4

BrowserStack does provides both https and http end point. It is up to you to use what you think is right. For examples, please have a look at this doc.

Disclaimer: I work at BrowserStack.com

Aditya Patawari
  • 771
  • 1
  • 7
  • 15
  • Those docs are about `BrowserStack supports the use of REST API to access information about your tests` not about creating new selenium sessions – Leo Gallucci Jul 08 '15 at 13:24
  • So are you sure that if I change `final String URL = "http://" + USERNAME...` to `final String URL = "https://" + USERNAME` it will work? or https is just for the REST API? – Leo Gallucci Jul 08 '15 at 13:24
  • 1
    @LeoGallucci, yes. Just using https in place of http will work. We support https on all our products but users can use http if they want to. – Aditya Patawari Jul 08 '15 at 13:26
  • Ok, so I have little faith maybe and had to try it myself, indeed BrowserStack support https; my test passed. Thanks for the info @Aditya – Leo Gallucci Jul 08 '15 at 14:15
  • One last thing, If I use `https://hub.browserstack.com/wd/hub` works fine, however when using `https://hub.browserstack.com:443/wd/hub` fails with `400 The plain HTTP request was sent to HTTPS port` is this really https or is just redirecting to port 80 to plain http? – Leo Gallucci Jul 08 '15 at 15:41
  • Interesting. I am not able to see this behavior. `# curl "https://hub.browserstack.com:443/wd/hub" {"value":{"message":"200 OK"}}` Can you tell me how you get this? I can assure you that this is 100% https. You can examine the certificate by using openssl commandline utility. `openssl s_client -connect hub.browserstack.com:443 ` – Aditya Patawari Jul 09 '15 at 07:59
  • Here the example test also with log output: https://gist.github.com/elgalu/0feda20b6f7f042ef55e#file-test-js-L11 I don't think curl helps here, we need to run some real selenium test to recreate – Leo Gallucci Jul 09 '15 at 11:43
  • 1
    @LeoGallucci, thanks for this. I can confirm that this is a bug with the node.js driver code and not an https issue. While we work to fix it, you can either use it by removing ":443" or by using python or ruby drivers. I'll get it fixed and get back you. – Aditya Patawari Jul 09 '15 at 14:33
1

Sauce Labs uses an AES256 bit encrypted HTTPS tunnel to your VMs then is multiplexed over this single encrypted TLS connection. More info here:

https://docs.saucelabs.com/reference/sauce-connect/

Kristian Meier
  • 11
  • 1