Retrieving document's certificate in JS

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Peter
    #1

    Retrieving document's certificate in JS

    Is it possible at all? I need to retrieve document's SSL certificate
    properties (like fingerprint name etc). Couldnt find anything in JS
    references...

    TIA,
    Peter


    Tags: None
    • Bjoern Hoehrmann
      #2
      Re: Retrieving document's certificate in JS

      * Peter wrote in comp.lang.javas cript:
      >Is it possible at all? I need to retrieve document's SSL certificate
      >properties (like fingerprint name etc). Couldnt find anything in JS
      >references.. .
      There is no standard method that works across multiple browsers,
      especially not for unprivileged scripts. If you only need it for
      a specific browser and have the ability to run privileged scripts
      in some fashion, we might be able to give pointers. Note that it'd
      be much simpler to simply do this on the server, and report what-
      ever data you are interested in to the script.
      --
      Björn Höhrmann · mailto:bjoern@h oehrmann.de · http://bjoern.hoehrmann.de
      Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
      68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

        Comment

        • Peter
          #3
          Re: Retrieving document's certificate in JS

          >>Is it possible at all? I need to retrieve document's SSL certificate
          >>properties (like fingerprint name etc). Couldnt find anything in JS
          >>references. ..
          >
          There is no standard method that works across multiple browsers,
          especially not for unprivileged scripts. If you only need it for
          a specific browser and have the ability to run privileged scripts
          in some fashion, we might be able to give pointers. Note that it'd
          be much simpler to simply do this on the server, and report what-
          ever data you are interested in to the script.
          Well I need this specifically to prevent man-in-the-middle attacks. I'm
          actually running Adobe Flex app that interacts with database server over
          http and want to verify that we're connecting to the 'right' server. I can
          do this only client-side, and right now my only option seems to be
          Javascript (I can call JS scripts/code snippets from Flex).

          I guess we could restrict users to specific flavors of browser (like
          Firefox/IE/Safari) and implement some sort of browser-specific code to
          detect SSL certificate? Does that sound possible?

          Peter


            Comment

            • Bjoern Hoehrmann
              #4
              Re: Retrieving document's certificate in JS

              * Peter wrote in comp.lang.javas cript:
              >Well I need this specifically to prevent man-in-the-middle attacks. I'm
              >actually running Adobe Flex app that interacts with database server over
              >http and want to verify that we're connecting to the 'right' server. I can
              >do this only client-side, and right now my only option seems to be
              >Javascript (I can call JS scripts/code snippets from Flex).
              But how are you talking to it then, after you checked it's the right one
              in particular? Normally you wouldn't manage the connection in JavaScript
              but use, say, XMLHttpRequest to transfer resources, and between checking
              for the right server, and dispatch of the new request the connection may
              have been "re"-established with the wrong server.
              --
              Björn Höhrmann · mailto:bjoern@h oehrmann.de · http://bjoern.hoehrmann.de
              Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
              68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

                Comment

                • Peter
                  #5
                  Re: Retrieving document's certificate in JS

                  >>Well I need this specifically to prevent man-in-the-middle attacks. I'm
                  >>actually running Adobe Flex app that interacts with database server over
                  >>http and want to verify that we're connecting to the 'right' server. I can
                  >>do this only client-side, and right now my only option seems to be
                  >>Javascript (I can call JS scripts/code snippets from Flex).
                  >
                  But how are you talking to it then, after you checked it's the right one
                  in particular? Normally you wouldn't manage the connection in JavaScript
                  but use, say, XMLHttpRequest to transfer resources, and between checking
                  for the right server, and dispatch of the new request the connection may
                  have been "re"-established with the wrong server.
                  Thats not how Flex http works AFAIK. It establishes connection upon launch
                  and keeps it open. All http connectivity is managed by the browser as app
                  runs inside Flash player. As a result I dont have access to connectivity
                  functions directly, but I can run any JS code by calling proper browser
                  interface method. So, my idea was to run some JS code that would return SSL
                  certificate fingerprint which my app will compare against known fingerprint.
                  FWIW I can do the check on every service call, it's no big deal since all
                  service calls are centralized in single class.

                  Peter


                    Comment

                    Previous template Next
                    Working...