Connecting Tech Pros Worldwide Help | Site Map
bytes > topic > javascript > answers

Retrieving document's certificate in JS

Peter
Guest
  
Posts: n/a
#1: Jun 27 '08
Is it possible at all? I need to retrieve document's SSL certificate
properties (like fingerprint name etc). Couldnt find anything in JS
references...

TIA,
Peter
Bjoern Hoehrmann
Guest
  
Posts: n/a
#2: Jun 27 '08

re: Retrieving document's certificate in JS

* Peter wrote in comp.lang.javascript:
Quote:
>Is it possible at all? I need to retrieve document's SSL certificate
>properties (like fingerprint name etc). Couldnt find anything in JS
>references...
There is no standard method that works across multiple browsers,
especially not for unprivileged scripts. If you only need it for
a specific browser and have the ability to run privileged scripts
in some fashion, we might be able to give pointers. Note that it'd
be much simpler to simply do this on the server, and report what-
ever data you are interested in to the script.
--
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Peter
Guest
  
Posts: n/a
#3: Jun 27 '08

re: Retrieving document's certificate in JS

>>Is it possible at all? I need to retrieve document's SSL certificate
Quote:
Quote:
>>properties (like fingerprint name etc). Couldnt find anything in JS
>>references...
>
There is no standard method that works across multiple browsers,
especially not for unprivileged scripts. If you only need it for
a specific browser and have the ability to run privileged scripts
in some fashion, we might be able to give pointers. Note that it'd
be much simpler to simply do this on the server, and report what-
ever data you are interested in to the script.
Well I need this specifically to prevent man-in-the-middle attacks. I'm
actually running Adobe Flex app that interacts with database server over
http and want to verify that we're connecting to the 'right' server. I can
do this only client-side, and right now my only option seems to be
Javascript (I can call JS scripts/code snippets from Flex).

I guess we could restrict users to specific flavors of browser (like
Firefox/IE/Safari) and implement some sort of browser-specific code to
detect SSL certificate? Does that sound possible?

Peter
Bjoern Hoehrmann
Guest
  
Posts: n/a
#4: Jun 27 '08

re: Retrieving document's certificate in JS

* Peter wrote in comp.lang.javascript:
Quote:
>Well I need this specifically to prevent man-in-the-middle attacks. I'm
>actually running Adobe Flex app that interacts with database server over
>http and want to verify that we're connecting to the 'right' server. I can
>do this only client-side, and right now my only option seems to be
>Javascript (I can call JS scripts/code snippets from Flex).
But how are you talking to it then, after you checked it's the right one
in particular? Normally you wouldn't manage the connection in JavaScript
but use, say, XMLHttpRequest to transfer resources, and between checking
for the right server, and dispatch of the new request the connection may
have been "re"-established with the wrong server.
--
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Peter
Guest
  
Posts: n/a
#5: Jun 27 '08

re: Retrieving document's certificate in JS

>>Well I need this specifically to prevent man-in-the-middle attacks. I'm
Quote:
Quote:
>>actually running Adobe Flex app that interacts with database server over
>>http and want to verify that we're connecting to the 'right' server. I can
>>do this only client-side, and right now my only option seems to be
>>Javascript (I can call JS scripts/code snippets from Flex).
>
But how are you talking to it then, after you checked it's the right one
in particular? Normally you wouldn't manage the connection in JavaScript
but use, say, XMLHttpRequest to transfer resources, and between checking
for the right server, and dispatch of the new request the connection may
have been "re"-established with the wrong server.
Thats not how Flex http works AFAIK. It establishes connection upon launch
and keeps it open. All http connectivity is managed by the browser as app
runs inside Flash player. As a result I dont have access to connectivity
functions directly, but I can run any JS code by calling proper browser
interface method. So, my idea was to run some JS code that would return SSL
certificate fingerprint which my app will compare against known fingerprint.
FWIW I can do the check on every service call, it's no big deal since all
service calls are centralized in single class.

Peter
Closed Thread

« previous question | next question »

Similar JavaScript / Ajax / DHTML bytes

/bytes/development

/bytes/it

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,327 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved