Retrieving document's certificate in JS

[Peter]

Is it possible at all? I need to retrieve document's SSL certificate
properties (like fingerprint name etc). Couldnt find anything in JS
references...

TIA,
Peter

 

[Bjoern Hoehrmann]

* Peter wrote in comp.lang.javascript:

Is it possible at all? I need to retrieve document's SSL certificate
properties (like fingerprint name etc). Couldnt find anything in JS
references...

There is no standard method that works across multiple browsers,
especially not for unprivileged scripts. If you only need it for
a specific browser and have the ability to run privileged scripts
in some fashion, we might be able to give pointers. Note that it'd
be much simpler to simply do this on the server, and report what-
ever data you are interested in to the script.

 

[Peter]

Is it possible at all? I need to retrieve document's SSL certificate

There is no standard method that works across multiple browsers,
especially not for unprivileged scripts. If you only need it for
a specific browser and have the ability to run privileged scripts
in some fashion, we might be able to give pointers. Note that it'd
be much simpler to simply do this on the server, and report what-
ever data you are interested in to the script.

Well I need this specifically to prevent man-in-the-middle attacks. I'm
actually running Adobe Flex app that interacts with database server over
http and want to verify that we're connecting to the 'right' server. I can
do this only client-side, and right now my only option seems to be
Javascript (I can call JS scripts/code snippets from Flex).

I guess we could restrict users to specific flavors of browser (like
Firefox/IE/Safari) and implement some sort of browser-specific code to
detect SSL certificate? Does that sound possible?

Peter

 

[Bjoern Hoehrmann]

* Peter wrote in comp.lang.javascript:

Well I need this specifically to prevent man-in-the-middle attacks. I'm
actually running Adobe Flex app that interacts with database server over
http and want to verify that we're connecting to the 'right' server. I can
do this only client-side, and right now my only option seems to be
Javascript (I can call JS scripts/code snippets from Flex).

But how are you talking to it then, after you checked it's the right one
in particular? Normally you wouldn't manage the connection in JavaScript
but use, say, XMLHttpRequest to transfer resources, and between checking
for the right server, and dispatch of the new request the connection may
have been "re"-established with the wrong server.

 

[Peter]

Well I need this specifically to prevent man-in-the-middle attacks. I'm

But how are you talking to it then, after you checked it's the right one
in particular? Normally you wouldn't manage the connection in JavaScript
but use, say, XMLHttpRequest to transfer resources, and between checking
for the right server, and dispatch of the new request the connection may
have been "re"-established with the wrong server.

Thats not how Flex http works AFAIK. It establishes connection upon launch
and keeps it open. All http connectivity is managed by the browser as app
runs inside Flash player. As a result I dont have access to connectivity
functions directly, but I can run any JS code by calling proper browser
interface method. So, my idea was to run some JS code that would return SSL
certificate fingerprint which my app will compare against known fingerprint.
FWIW I can do the check on every service call, it's no big deal since all
service calls are centralized in single class.

Peter