WebApp Sec mailing list archives
RE: Client script access to server cert info
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Mon, 14 Apr 2003 07:52:29 +0200
It's an interesting idea. I guess the objective is to prevent other sites from masquerading as your own, by acting as a proxy? I like the concept, but implementation may be difficult. Obviously mallory.com is in a position to change any script that you send through it, and could either replace those script fragments in line, or filter them out completely. If it were to change in an unpredictable manner, and quite frequently, it could be possible to make life difficult for them, though . . . Rogan -----Original Message----- From: Brass, Phil (ISS Atlanta) [mailto:PBrass () iss net] Sent: 14 April 2003 06:21 AM To: webappsec () securityfocus com Subject: RE: Client script access to server cert info To clarify, what I'm looking for is a way for script on a page to access the server certificate information used during the SSL connection over which the page was provided. I.e. if Alice requests a page from bob.com, but the bob.com server returns a certificate that actually says mallory.com, and Alice presses "OK" when prompted about the discrepancy, it would be nice if there was a way to detect this using script that ran in the browser. I'm trying to find out if anybody knows of any browser/DOM/DHTML objects that contain a description (signing chain, CN, fingerprint, whatever) of the actual server certificate information presented during the SSL handshake. Phil
-----Original Message----- From: Brass, Phil (ISS Atlanta) Sent: Sunday, April 13, 2003 11:51 PM To: webappsec () securityfocus com Subject: Client script access to server cert info Does anybody know if there is a way to access the server certificate information in client-side script in a web browser? Thanks! Phil
Current thread:
- Client script access to server cert info Brass, Phil (ISS Atlanta) (Apr 13)
- <Possible follow-ups>
- RE: Client script access to server cert info Brass, Phil (ISS Atlanta) (Apr 13)
- RE: Client script access to server cert info Dawes, Rogan (ZA - Johannesburg) (Apr 14)
- RE: Client script access to server cert info Maupin, Tony (Apr 14)
- Re: Client script access to server cert info Jon Pastore (Apr 16)
- RE: Client script access to server cert info Dawes, Rogan (ZA - Johannesburg) (Apr 16)
- Re: Client script access to server cert info n30 (Apr 16)
- RE: Client script access to server cert info Jimi Thompson (Apr 16)