By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,460 Members | 1,154 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,460 IT Pros & Developers. It's quick & easy.

Retrieving document's certificate in JS

P: n/a
Is it possible at all? I need to retrieve document's SSL certificate
properties (like fingerprint name etc). Couldnt find anything in JS
references...

TIA,
Peter
Jun 27 '08 #1
Share this Question
Share on Google+
4 Replies


P: n/a
* Peter wrote in comp.lang.javascript:
>Is it possible at all? I need to retrieve document's SSL certificate
properties (like fingerprint name etc). Couldnt find anything in JS
references...
There is no standard method that works across multiple browsers,
especially not for unprivileged scripts. If you only need it for
a specific browser and have the ability to run privileged scripts
in some fashion, we might be able to give pointers. Note that it'd
be much simpler to simply do this on the server, and report what-
ever data you are interested in to the script.
--
Björn Höhrmann · mailto:bj****@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Jun 27 '08 #2

P: n/a
>>Is it possible at all? I need to retrieve document's SSL certificate
>>properties (like fingerprint name etc). Couldnt find anything in JS
references...

There is no standard method that works across multiple browsers,
especially not for unprivileged scripts. If you only need it for
a specific browser and have the ability to run privileged scripts
in some fashion, we might be able to give pointers. Note that it'd
be much simpler to simply do this on the server, and report what-
ever data you are interested in to the script.
Well I need this specifically to prevent man-in-the-middle attacks. I'm
actually running Adobe Flex app that interacts with database server over
http and want to verify that we're connecting to the 'right' server. I can
do this only client-side, and right now my only option seems to be
Javascript (I can call JS scripts/code snippets from Flex).

I guess we could restrict users to specific flavors of browser (like
Firefox/IE/Safari) and implement some sort of browser-specific code to
detect SSL certificate? Does that sound possible?

Peter
Jun 27 '08 #3

P: n/a
* Peter wrote in comp.lang.javascript:
>Well I need this specifically to prevent man-in-the-middle attacks. I'm
actually running Adobe Flex app that interacts with database server over
http and want to verify that we're connecting to the 'right' server. I can
do this only client-side, and right now my only option seems to be
Javascript (I can call JS scripts/code snippets from Flex).
But how are you talking to it then, after you checked it's the right one
in particular? Normally you wouldn't manage the connection in JavaScript
but use, say, XMLHttpRequest to transfer resources, and between checking
for the right server, and dispatch of the new request the connection may
have been "re"-established with the wrong server.
--
Björn Höhrmann · mailto:bj****@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Jun 27 '08 #4

P: n/a
>>Well I need this specifically to prevent man-in-the-middle attacks. I'm
>>actually running Adobe Flex app that interacts with database server over
http and want to verify that we're connecting to the 'right' server. I can
do this only client-side, and right now my only option seems to be
Javascript (I can call JS scripts/code snippets from Flex).

But how are you talking to it then, after you checked it's the right one
in particular? Normally you wouldn't manage the connection in JavaScript
but use, say, XMLHttpRequest to transfer resources, and between checking
for the right server, and dispatch of the new request the connection may
have been "re"-established with the wrong server.
Thats not how Flex http works AFAIK. It establishes connection upon launch
and keeps it open. All http connectivity is managed by the browser as app
runs inside Flash player. As a result I dont have access to connectivity
functions directly, but I can run any JS code by calling proper browser
interface method. So, my idea was to run some JS code that would return SSL
certificate fingerprint which my app will compare against known fingerprint.
FWIW I can do the check on every service call, it's no big deal since all
service calls are centralized in single class.

Peter
Jun 27 '08 #5

This discussion thread is closed

Replies have been disabled for this discussion.