Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: Client script access to server cert info

RE: Client script access to server cert info

From: Jimi Thompson <jimit_at_myrealbox.com>
Date: Wed, 16 Apr 2003 19:37:34 -0500

What all of you are referring to is known as a "Certificate
Revocation List" and that is the one part of the current PKI standard
that is largely NOT implemented. Even if you had JavaScript or some
other bit of code to do the checking most Certificate Authorities
simply don't support the checking.

If you are looking to implement this on your own private CA, I would
suggest that you create and LDAP server and load the certs in there.
Anything that cannot be verified against the cert in the LDAP would
be invalid and the transaction processing would then stop.

HTH,

At 5:48 PM +0200 4/16/03, Dawes, Rogan (ZA - Johannesburg) wrote:
>I did a quick search for Tony's search term, and it looks like he was
>referring to a server side solution.
>
>What Phil was looking for was a client side solution, so that the client
>could check if the *server's* cert was invalid.
>
>I would be looking for some function in JavaScript, or possibly a Java
>LiveConnect or ActiveX component to be able to do this.
>
>
>
>I think Jon has misunderstood what Phil was asking for, although he does
>seem to be looking for what Tony was referring to! :-)
>
>For Jon's purposes, I would suggest something like:
>
>As a key, encrypt some static data using the client's server certificate
>(this will tie the key to the lifetime of the certificate, and renewing the
>ssl server cert will require getting a new application key as well.)
>
>Configure the application to be able to use the SSL private key to decrypt
>the license key, and verify that the static text is intact. If they cannot
>decrypt the static key, then they don't have the right server cert, and so
>they shouldn't be using the application.
>
>Unfortunately, it all falls flat because you are using Perl, and it would be
>trivial to bypass the checks, simply because perl is source code, not
>binary. Even the attempts at compiling perl only delay an attacker by a few
>minutes, since all perl obfuscation modules can be trivially reversed (see a
>fairly recent discussion here or on the secure programming list for details,
>I forget which)
>
>Nice try, thanks for p(l)aying.
>
>Rogan
>
>-----Original Message-----
>From: Jon Pastore [mailto:jpastore_at_idetech.net]
>Sent: 16 April 2003 01:18 PM
>To: Maupin, Tony; 'Brass, Phil (ISS Atlanta)'; webappsec_at_securityfocus.com
>Subject: Re: Client script access to server cert info
>
>
>can you recommend one for perl? CPAN wasn't playing nice when I did a search
>eariler...I have an intranet application I sell based on perl that it would
>be nice if we could make sure it only runs on the computer it was told to.
>and being able to analyze the cert would be nice...
>
>-Jon
>----- Original Message -----
>From: "Maupin, Tony" <Tony.Maupin_at_integris-health.com>
>To: "'Brass, Phil (ISS Atlanta)'" <PBrass_at_iss.net>;
><webappsec_at_securityfocus.com>
>Sent: Monday, April 14, 2003 9:55 AM
>Subject: RE: Client script access to server cert info
>
>
> > What you're looking for is called a "certificate parsing module". Do a
> > search on that term and/or add open source to the search depending on what
>> you're looking for. It will do everything you are asking and more.
>>
>> Tony Maupin
>>
>> -----Original Message-----
>> From: Brass, Phil (ISS Atlanta) [mailto:PBrass_at_iss.net]
>> Sent: Sunday, April 13, 2003 11:21 PM
>> To: webappsec_at_securityfocus.com
>> Subject: RE: Client script access to server cert info
>>
>>
>> To clarify, what I'm looking for is a way for script on a page to access
>> the server certificate information used during the SSL connection over
>> which the page was provided. I.e. if Alice requests a page from
>> bob.com, but the bob.com server returns a certificate that actually says
>> mallory.com, and Alice presses "OK" when prompted about the discrepancy,
>> it would be nice if there was a way to detect this using script that ran
> > in the browser. I'm trying to find out if anybody knows of any
>> browser/DOM/DHTML objects that contain a description (signing chain, CN,
>> fingerprint, whatever) of the actual server certificate information
>> presented during the SSL handshake.
>>
>> Phil
>>
>> > -----Original Message-----
>> > From: Brass, Phil (ISS Atlanta)
>> > Sent: Sunday, April 13, 2003 11:51 PM
>> > To: webappsec_at_securityfocus.com
>> > Subject: Client script access to server cert info
>> >
>> >
>> > Does anybody know if there is a way to access the server
>> > certificate information in client-side script in a web browser?
>> >
>> > Thanks!
>> >
>> > Phil
>> >
>> 

-- 
Thanks,
Ms. Jimi Thompson, CISSP, Rev.
"I'm a great believer in luck, and I find the harder I work, the more 
I have of it." -- Thomas Jefferson
Received on Apr 17 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]