RE: Client script access to server cert info

I did a quick search for Tony's search term, and it looks like he was referring to a server side solution.

What Phil was looking for was a client side solution, so that the client could check if the *server's* cert was invalid.

I would be looking for some function in JavaScript, or possibly a Java LiveConnect or ActiveX component to be able to do this.

I think Jon has misunderstood what Phil was asking for, although he does seem to be looking for what Tony was referring to! :-)

For Jon's purposes, I would suggest something like:

As a key, encrypt some static data using the client's server certificate (this will tie the key to the lifetime of the certificate, and renewing the ssl server cert will require getting a new application key as well.)

Configure the application to be able to use the SSL private key to decrypt the license key, and verify that the static text is intact. If they cannot decrypt the static key, then they don't have the right server cert, and so they shouldn't be using the application.

Unfortunately, it all falls flat because you are using Perl, and it would be trivial to bypass the checks, simply because perl is source code, not binary. Even the attempts at compiling perl only delay an attacker by a few minutes, since all perl obfuscation modules can be trivially reversed (see a fairly recent discussion here or on the secure programming list for details, I forget which)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Nice try, thanks for p(l)aying.

Rogan

-----Original Message-----
From: Jon Pastore [mailto:jpastore@idetech.net] Sent: 16 April 2003 01:18 PM
To: Maupin, Tony; 'Brass, Phil (ISS Atlanta)'; webappsec@securityfocus.com Subject: Re: Client script access to server cert info

can you recommend one for perl? CPAN wasn't playing nice when I did a search eariler...I have an intranet application I sell based on perl that it would be nice if we could make sure it only runs on the computer it was told to. and being able to analyze the cert would be nice...

-Jon
----- Original Message -----
From: "Maupin, Tony" <Tony.Maupin@integris-health.com> To: "'Brass, Phil (ISS Atlanta)'" <PBrass@iss.net>; <webappsec@securityfocus.com>
Sent: Monday, April 14, 2003 9:55 AM
Subject: RE: Client script access to server cert info

> What you're looking for is called a "certificate parsing module". Do a
Received on Wed Apr 16 11:55:35 2003