Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > webappsec > 03 > 040652.html (Request Expert securityfocus.com Support)

RE: Client script access to server cert info

From: Dawes, Rogan (ZA - Johannesburg) <rdawes(at)deloitte.co.za>
Date: Mon Apr 14 2003 - 01:52:29 EDT


It's an interesting idea. I guess the objective is to prevent other sites from masquerading as your own, by acting as a proxy?

I like the concept, but implementation may be difficult. Obviously mallory.com is in a position to change any script that you send through it, and could either replace those script fragments in line, or filter them out completely.

If it were to change in an unpredictable manner, and quite frequently, it could be possible to make life difficult for them, though . . .

Rogan

-----Original Message-----
From: Brass, Phil (ISS Atlanta) [mailto:PBrass@iss.net] Sent: 14 April 2003 06:21 AM
To: webappsec@securityfocus.com
Subject: RE: Client script access to server cert info

To clarify, what I'm looking for is a way for script on a page to access the server certificate information used during the SSL connection over which the page was provided. I.e. if Alice requests a page from bob.com, but the bob.com server returns a certificate that actually says mallory.com, and Alice presses "OK" when prompted about the discrepancy, it would be nice if there was a way to detect this using script that ran in the browser. I'm trying to find out if anybody knows of any browser/DOM/DHTML objects that contain a description (signing chain, CN, fingerprint, whatever) of the actual server certificate information presented during the SSL handshake.

Phil

> -----Original Message-----
Received on Mon Apr 14 12:00:55 2003

Do you need help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:50 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library