Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Client script access to server cert info

Re: Client script access to server cert info

From: n30 <n30_lists_at_hotmail.com>
Date: Wed, 16 Apr 2003 10:07:24 -0700

Guys,

I may be totally wrong...but i always thought you could use openssl to get
the server cert info remotely.

Ofcourse, this is not 'client side script'...but maybe a useful pointer...

Thanks
-N
----- Original Message -----
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes_at_deloitte.co.za>
To: "'Jon Pastore'" <jpastore_at_idetech.net>; "Maupin, Tony"
<Tony.Maupin_at_integris-health.com>; "'Brass, Phil (ISS Atlanta)'"
<PBrass_at_iss.net>; <webappsec_at_securityfocus.com>
Sent: Wednesday, April 16, 2003 8:48 AM
Subject: RE: Client script access to server cert info

> I did a quick search for Tony's search term, and it looks like he was
> referring to a server side solution.
>
> What Phil was looking for was a client side solution, so that the client
> could check if the *server's* cert was invalid.
>
> I would be looking for some function in JavaScript, or possibly a Java
> LiveConnect or ActiveX component to be able to do this.
>
>
>
> I think Jon has misunderstood what Phil was asking for, although he does
> seem to be looking for what Tony was referring to! :-)
>
> For Jon's purposes, I would suggest something like:
>
> As a key, encrypt some static data using the client's server certificate
> (this will tie the key to the lifetime of the certificate, and renewing
the
> ssl server cert will require getting a new application key as well.)
>
> Configure the application to be able to use the SSL private key to decrypt
> the license key, and verify that the static text is intact. If they cannot
> decrypt the static key, then they don't have the right server cert, and so
> they shouldn't be using the application.
>
> Unfortunately, it all falls flat because you are using Perl, and it would
be
> trivial to bypass the checks, simply because perl is source code, not
> binary. Even the attempts at compiling perl only delay an attacker by a
few
> minutes, since all perl obfuscation modules can be trivially reversed (see
a
> fairly recent discussion here or on the secure programming list for
details,
> I forget which)
>
> Nice try, thanks for p(l)aying.
>
> Rogan
>
> -----Original Message-----
> From: Jon Pastore [mailto:jpastore_at_idetech.net]
> Sent: 16 April 2003 01:18 PM
> To: Maupin, Tony; 'Brass, Phil (ISS Atlanta)'; webappsec_at_securityfocus.com
> Subject: Re: Client script access to server cert info
>
>
> can you recommend one for perl? CPAN wasn't playing nice when I did a
search
> eariler...I have an intranet application I sell based on perl that it
would
> be nice if we could make sure it only runs on the computer it was told to.
> and being able to analyze the cert would be nice...
>
> -Jon
> ----- Original Message -----
> From: "Maupin, Tony" <Tony.Maupin_at_integris-health.com>
> To: "'Brass, Phil (ISS Atlanta)'" <PBrass_at_iss.net>;
> <webappsec_at_securityfocus.com>
> Sent: Monday, April 14, 2003 9:55 AM
> Subject: RE: Client script access to server cert info
>
>
> > What you're looking for is called a "certificate parsing module". Do a
> > search on that term and/or add open source to the search depending on
what
> > you're looking for. It will do everything you are asking and more.
> >
> > Tony Maupin
> >
> > -----Original Message-----
> > From: Brass, Phil (ISS Atlanta) [mailto:PBrass_at_iss.net]
> > Sent: Sunday, April 13, 2003 11:21 PM
> > To: webappsec_at_securityfocus.com
> > Subject: RE: Client script access to server cert info
> >
> >
> > To clarify, what I'm looking for is a way for script on a page to access
> > the server certificate information used during the SSL connection over
> > which the page was provided. I.e. if Alice requests a page from
> > bob.com, but the bob.com server returns a certificate that actually says
> > mallory.com, and Alice presses "OK" when prompted about the discrepancy,
> > it would be nice if there was a way to detect this using script that ran
> > in the browser. I'm trying to find out if anybody knows of any
> > browser/DOM/DHTML objects that contain a description (signing chain, CN,
> > fingerprint, whatever) of the actual server certificate information
> > presented during the SSL handshake.
> >
> > Phil
> >
> > > -----Original Message-----
> > > From: Brass, Phil (ISS Atlanta)
> > > Sent: Sunday, April 13, 2003 11:51 PM
> > > To: webappsec_at_securityfocus.com
> > > Subject: Client script access to server cert info
> > >
> > >
> > > Does anybody know if there is a way to access the server
> > > certificate information in client-side script in a web browser?
> > >
> > > Thanks!
> > >
> > > Phil
> > >
> >
>
Received on Apr 16 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]