Re: Client script access to server cert info

["n30" <n30_lists () hotmail com>]

Guys,

I may be totally wrong...but i always thought you could use openssl to get
the server cert info remotely.

Ofcourse, this is not 'client side script'...but maybe a useful pointer...

Thanks
-N
----- Original Message -----
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
To: "'Jon Pastore'" <jpastore () idetech net>; "Maupin, Tony"
<Tony.Maupin () integris-health com>; "'Brass, Phil (ISS Atlanta)'"
<PBrass () iss net>; <webappsec () securityfocus com>
Sent: Wednesday, April 16, 2003 8:48 AM
Subject: RE: Client script access to server cert info


> I did a quick search for Tony's search term, and it looks like he was
> referring to a server side solution.
>
> What Phil was looking for was a client side solution, so that the client
> could check if the *server's* cert was invalid.
>
> I would be looking for some function in JavaScript, or possibly a Java
> LiveConnect or ActiveX component to be able to do this.
>
>
>
> I think Jon has misunderstood what Phil was asking for, although he does
> seem to be looking for what Tony was referring to! :-)
>
> For Jon's purposes, I would suggest something like:
>
> As a key, encrypt some static data using the client's server certificate
> (this will tie the key to the lifetime of the certificate, and renewing
the
> ssl server cert will require getting a new application key as well.)
>
> Configure the application to be able to use the SSL private key to decrypt
> the license key, and verify that the static text is intact. If they cannot
> decrypt the static key, then they don't have the right server cert, and so
> they shouldn't be using the application.
>
> Unfortunately, it all falls flat because you are using Perl, and it would
be
> trivial to bypass the checks, simply because perl is source code, not
> binary. Even the attempts at compiling perl only delay an attacker by a
few
> minutes, since all perl obfuscation modules can be trivially reversed (see
a
> fairly recent discussion here or on the secure programming list for
details,
> I forget which)
>
> Nice try, thanks for p(l)aying.
>
> Rogan
>
> -----Original Message-----
> From: Jon Pastore [mailto:jpastore () idetech net]
> Sent: 16 April 2003 01:18 PM
> To: Maupin, Tony; 'Brass, Phil (ISS Atlanta)'; webappsec () securityfocus com
> Subject: Re: Client script access to server cert info
>
>
> can you recommend one for perl? CPAN wasn't playing nice when I did a
search
> eariler...I have an intranet application I sell based on perl that it
would
> be nice if we could make sure it only runs on the computer it was told to.
> and being able to analyze the cert would be nice...
>
> -Jon
> ----- Original Message -----
> From: "Maupin, Tony" <Tony.Maupin () integris-health com>
> To: "'Brass, Phil (ISS Atlanta)'" <PBrass () iss net>;
> <webappsec () securityfocus com>
> Sent: Monday, April 14, 2003 9:55 AM
> Subject: RE: Client script access to server cert info
>
>
> > What you're looking for is called a "certificate parsing module". Do a
> > search on that term and/or add open source to the search depending on
what
> > you're looking for. It will do everything you are asking and more.
> >
> > Tony Maupin
> >
> > -----Original Message-----
> > From: Brass, Phil (ISS Atlanta) [mailto:PBrass () iss net]
> > Sent: Sunday, April 13, 2003 11:21 PM
> > To: webappsec () securityfocus com
> > Subject: RE: Client script access to server cert info
> >
> >
> > To clarify, what I'm looking for is a way for script on a page to access
> > the server certificate information used during the SSL connection over
> > which the page was provided.  I.e. if Alice requests a page from
> > bob.com, but the bob.com server returns a certificate that actually says
> > mallory.com, and Alice presses "OK" when prompted about the discrepancy,
> > it would be nice if there was a way to detect this using script that ran
> > in the browser.  I'm trying to find out if anybody knows of any
> > browser/DOM/DHTML objects that contain a description (signing chain, CN,
> > fingerprint, whatever) of the actual server certificate information
> > presented during the SSL handshake.
> >
> > Phil
> >
> > > -----Original Message-----
> > > From: Brass, Phil (ISS Atlanta)
> > > Sent: Sunday, April 13, 2003 11:51 PM
> > > To: webappsec () securityfocus com
> > > Subject: Client script access to server cert info
> > >
> > >
> > > Does anybody know if there is a way to access the server
> > > certificate information in client-side script in a web browser?
> > >
> > > Thanks!
> > >
> > > Phil