moonyowl
2018-10-20
Currently it’s impossible to read TLS certificate data via JavaScript. In some cases, this feature can be very useful. For example, it may help to detect TLS certificate spoofing.
Currently it’s impossible to read TLS certificate data via JavaScript. In some cases, this feature can be very useful. For example, it may help to detect TLS certificate spoofing.
Can Certificate Transparency help deal with the spoofing issue, and to which extent?
It can’t help in some cases. If some user-hostile ISPs will spoof all HTTPS certificates, users will have to accept spoofed certificates.
If JavaScript will have access to certificate data, it will be easy to detect certificate spoofing and don’t let user to access website without a valid certificate. Example scheme:
function certificateCheck()
{
let clientsideDigest = <Digest of TLS certificate that client get from website>;
let serversideDigest = <Digest of TLS certificate that website sent to client>;
let userAnswer = <User's CAPTCHA answer>;
let correctAnswer = <Correct CAPTCHA answer>;
if (sha512(clientsideDigest + userAnswer) == sha512(serversideDigest + correctAnswer))
{
return true; //PASS: Valid certificate and correct CAPTCHA answer
}
else
{
return false; //FAIL: Incorrect CAPTCHA answer OR invalid (spoofed) certificate
}
}
Proof-of-Concept extension: https://addons.mozilla.org/en-US/firefox/addon/anti-mitm-tlscaptcha-poc/