RE: Client script access to server cert info

["Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>]

It's an interesting idea. I guess the objective is to prevent other sites
from masquerading as your own, by acting as a proxy?

I like the concept, but implementation may be difficult. Obviously
mallory.com is in a position to change any script that you send through it,
and could either replace those script fragments in line, or filter them out
completely.

If it were to change in an unpredictable manner, and quite frequently, it
could be possible to make life difficult for them, though . . .

Rogan

-----Original Message-----
From: Brass, Phil (ISS Atlanta) [mailto:PBrass () iss net] 
Sent: 14 April 2003 06:21 AM
To: webappsec () securityfocus com
Subject: RE: Client script access to server cert info


To clarify, what I'm looking for is a way for script on a page to access
the server certificate information used during the SSL connection over
which the page was provided.  I.e. if Alice requests a page from
bob.com, but the bob.com server returns a certificate that actually says
mallory.com, and Alice presses "OK" when prompted about the discrepancy,
it would be nice if there was a way to detect this using script that ran
in the browser.  I'm trying to find out if anybody knows of any
browser/DOM/DHTML objects that contain a description (signing chain, CN,
fingerprint, whatever) of the actual server certificate information
presented during the SSL handshake.

Phil

> -----Original Message-----
> From: Brass, Phil (ISS Atlanta) 
> Sent: Sunday, April 13, 2003 11:51 PM
> To: webappsec () securityfocus com
> Subject: Client script access to server cert info
>
>
> Does anybody know if there is a way to access the server 
> certificate information in client-side script in a web browser?
>
> Thanks!
>
> Phil