当前位置: 文江博客话题详情

有没有办法使用 JavaScript 获取 SSL 证书详细信息?

发布于 2024-08-28 01:22:50 字数 192 浏览 8 评论 0原文

我想收集特定网站上 SSL 证书的某些详细信息。我知道在 Linux/MacOSX 上使用 openssl 工具很简单。但是 JavaScript 中可能有相同或相似的情况吗?

据我所知,浏览器处理套接字连接,并且 SSL 握手发生在任何一方发送数据之前。但是,在 XMLHTTPRequest 中,我想知道是否可以将这些详细信息作为某种响应代码等获取?

原文

I'd like to gather certain details of an SSL certificate on a particular web-site. I know this is straightforward using the openssl tool on Linux/MacOSX. However is the same or similar possible in JavaScript?

I understand that the browser handles socket connections and that the SSL handshake occurs prior to any party sending data. However in an XMLHTTPRequest, I'd like to know if its possible to get these details as some sort of response code etc?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

鹤仙姿 2024-09-04 01:22:50

这些信息根本不会暴露给 JavaScript,它很少被使用(当然从来没有,因为它不可用,但它很少被使用),以至于它被认为不够重要,无法添加到我想 JavaScript 对象模型...对于任何很少使用的功能来说都是一样的。

当然,出于安全原因,它也可能被排除在外......我目前没有足够的创造力来想出一个,但我确信那里也有一个漏洞。

This information simply isn't exposed to javascript, it is so rarely used (well never since it isn't available, but it would be rarely used) that it wasn't deemed important enough to add to the javascript object model I suppose...same for any very rarely used feature left out of anything.

Of course, it could have also been left out for security reasons...I'm not creative enough to come up with one at the moment, but I'm sure there's an exploit to be had there as well.

回复 原文
风流物 2024-09-04 01:22:50

该证书不是 DOM 的一部分,所以不,这是不可能的。对不起!

The certificate isn't part of the DOM, so no, this won't be possible. Sorry!

回复 原文
挽袖吟 2024-09-04 01:22:50

不,不可能。

可以通过 javascript 检测当前正在查看的页面是否通过 SSL 连接 (document.location.protocol=="https:"),但仅此而已。

Nope, not possible.

It is possible to detect via javascript whether the current page being viewed is over an SSL connection (document.location.protocol=="https:"), but that's about it.

回复 原文
哽咽笑 2024-09-04 01:22:50

目前的JS语言标准并没有暴露证书信息;除此之外,这可能取决于您如何使用 JavaScript,如果您希望最终用户的浏览器公开证书信息,那么这将是一个真正的问题,因为您需要获得最低的 FF、Chrome、Safari、IE ,边缘,...暴露它。

但是,正如信息安全帖子<中提到的/a>,这对于这些浏览器来说并不是一个真正理想的选择,因为它会导致网站开发人员编写代码错误地信任用户端凭据。

与其说这是阻止 JavaScript 访问浏览器当前 SSL 证书信息的可见性安全风险,不如说是第四堵墙安全风险,JS 开发人员必须意识到“用户接受的”证书不一定是提供的网站。 HTML 页面确实不应该使用客户端代码处理安全问题,而应该能够依赖安全层来正确完成其工作。 (我完全可以理解想要检查安全层,但是您在顶层所做的任何管理工作都只是肤浅的或对整个生物圈的改造)

因为让我们暂时假设 javascript 确实提供了一种方法如果 Bob 已经信任 Mallory,因为他的安全性已被破坏,则无法阻止以下交换:

办公室工作人员 Bob 位于 Mega Corp. 防火墙的一侧,IT Mallory 负责防火墙在本地传递进出公司的流量,并且 Web Host Alice 的精彩网站位于 WWW 上。

  1. 根据 Mega Corp. 公司的政策,鲍勃只接受马洛里所说的话。
  2. 鲍勃想要访问爱丽丝的站点,但没有直接的外部访问权限,他试图通过持有他的证书来通过防火墙建立安全连接(例如:“我特此声明我是鲍勃”),并以一种非常复杂的方式询问爱丽丝,“我给你发了什么证书?”
  3. Mallory 收到了 Bob 的请求,但转而自行传递(例如:“呃,Bob 说我可以阅读他的网络邮件”),尽管 Mallory 不明白 Bob 的复杂问题,但她仍然向 Alice 重复了一遍,“akdvyfenwythnwerhy ?”。
  4. 爱丽丝做了一些数学计算,得出了“akdvyfenwythnwerhy?”询问“我给你发了什么证书?”并用她所看到的内容回复马洛里(“嗨,鲍勃,这是爱丽丝,你说:呃,鲍勃说我可以阅读他的网络邮件”)。
  5. 马洛里做了一些数学,有一个啊哈时刻“akdvyfenwythnwerhy?=我发送给你什么证书?”,并代表爱丽丝回答鲍勃的问题(“嗨鲍勃,这是爱丽丝(马洛里)你说:我特此声明我是鲍勃”)。
  6. 鲍勃相信生活是美好的,并继续阅读他的网络邮件,因为根据公司政策,他知道马洛里永远不会对他撒谎。
  7. Mallory 现在能够阅读对话的双方,并将 Bob 阅读其网络邮件的请求传递给 Alice。
  8. Alice 收到 Bob 的请求,并说嘿等一下,Bob 我需要你运行这段 JS 代码来证明你知道你正在与 Alice 交谈。
  9. Mallory 获取代码,运行它,并将结果发送给 Alice,表明她知道她正在与 Alice 交谈。
  10. 爱丽丝说,这对我来说已经足够了,这是你的网络邮件。
  11. 马洛里阅读了鲍勃的网络邮件,然后将其传递给鲍勃,每个人都很高兴。

(注意:我没有解决您在服务器端运行 JS 的情况,那么这取决于您使用什么程序来运行 JS 代码。)

Edit 4/4/2018 -- While the above is not wrong it's more from the perspective of embedded and linked JS than it is about the `XMLHTTPRequest` JS object; moreover quite possibly the strongest argument to be made against sharing PKI details with `XMLHTTPRequest` is as follows:

在 HTTP 部分和HTTPS 协议的 S 部分。 JavaScript 及其 XMLHTTPRequest 对象驻留在该行的 HTTP(应用层)一侧,而整个证书交换过程驻留在该行的 S(trans/sec 层)一侧。为了保持安全端的原子性(可热插拔),其内部工作不能跨线暴露给应用程序端;因为可能有一天,传输/安全层不再使用 PKI 证书来促进其安全通信服务,并且当那一天到来时,没有人需要重写任何依赖于这些证书中包含的详细信息来处理的现有 JS 代码。随着 www 社区慢慢采用他们最喜欢的任何新安全层风格引起的传播浪潮。

话虽这么说,安全方面似乎也在进行法人实体审查——至少在某些情况下,例如 EV 证书——,而且在我看来,这是 RFC7230 第 2.7.2 节 表示它不会重新定义 https 的 authority -URI 包含一个可选的合法性,安全层在验证与其通信的 URL 不仅是正确的端点而且当前处于预期业务关系的控制之下时将使用该合法性。

authority     = [ userinfo "@" ] host [ "#" legalentity ] [ ":" port ]
legalentity   = *( unreserved / pct-encoded / sub-delims )

The current JS language standard does not expose certificate information; beyond that It probably depends on how you're using JavaScript, if you're expecting the end user's Browser to expose certificate information then it's going to be really problematic because you'd need to get at the minimum FF, Chrome, Safari, IE, Edge, ... to expose it.

However, as mentioned on this Information Security post, this is not really a desirable option for these browsers to implement, as it would allow a situation where a website developer could write code to mistakenly trust user side credentials.

It's not so much a visibility security risk that prevents javascript from accessing the browser's current SSL Certificate info, but more of a fourth wall barrier security risk where the JS developer must be aware that the "user-accepted" certificate is not necessarily the one that the website provided. The HTML page really shouldn't be handling the security issues with client side code, but instead it should be able to depend on the security layer to do it's job properly. (I can totally understand wanting to checkup on the security layer, but any managerial work you do at the top layer is just going to be either superficial or a reworking of the entire biosphere)

Because let's assume for a moment that javascript did provide a way to work with the certificate, then when Bob already trusts Mallory because his security is broken there is no way of stopping the following exchange:

Office Worker Bob is on one side of the great firewall of Mega Corp., IT Mallory is in charge of the firewall passing traffic in and out of the company locally, and Web Host Alice's awesome website is out on the WWW.

  1. By Mega Corp. company policy Bob is setup to just accept what Mallory has to say at face value.
  2. Bob who would like to visit Alice's site, but has no direct outside access, tries to establish a secure connection through the firewall by holding up his certificate(Eg:"I hereby declare I am Bob") and asks Alice in a really convoluted way, "what certificate did I send to you?"
  3. Mallory gets Bob's request, but instead passes on her own(Eg:"Uh, Bob says it's ok for me to read his webmail"), and even though Mallory doesn't understand Bob's convoluted question she still repeats it to Alice, "akdvyfenwythnwerhy?".
  4. Alice does some math and figures out that "akdvyfenwythnwerhy?" is asking "what certificate did I send you?" and answers back to Mallory with what she sees("Hi Bob this is Alice you said: Uh, Bob says it's ok for me to read his webmail").
  5. Mallory does some math, has an ah ha moment "akdvyfenwythnwerhy?=what certificate did I send to you?", and answers Bob's question on behalf of Alice("Hi Bob this is Alice(Mallory) you said: I hereby declare I am Bob").
  6. Bob believes life is good and continues on to read his webmail, because by company policy he knows Mallory would never lie to him.
  7. Mallory now able to read both sides of the conversation passes on Bob's request to read his webmail to Alice.
  8. Alice gets Bob's request and says hey wait a minute Bob I need you to run this JS code to prove you know you're talking to Alice.
  9. Mallory gets the code, runs it, and sends the results stating that she knows she's talking to Alice back to Alice.
  10. Alice says, good enough for me here's your webmail.
  11. Mallory reads Bob's webmail before passing it on to Bob, and everyone is blissfully happy.

(Note: I did not address the case where you're running JS server-side, then it would depend on what program you're using to run your JS code.)

Edit 4/4/2018 -- While the above is not wrong it's more from the perspective of embedded and linked JS than it is about the `XMLHTTPRequest` JS object; moreover quite possibly the strongest argument to be made against sharing PKI details with `XMLHTTPRequest` is as follows:

There needs to remain a strong dividing line between the HTTP portion and the S portion of the HTTPS protocol. JavaScript and it's XMLHTTPRequest object reside on the HTTP(app layer) side of that line, while the whole certificate exchange process resides on the S(trans/sec layer) side of that line. In order to keep the security side atomic(hot-swappable) its internal workings cannot be exposed across the line to the application side; because there may come a day when the transport/security layer no longer uses PKI certificates to facilitate its secure communication service, and when that day comes no one would need to rewrite any existing JS code that was relying on details contained within those certificates to deal with the propagation wave caused by the www community slowly adopting their favorite flavor of any new security layer.

That being said, the security side does appear to also be doing legal entity vetting --at least in some cases like EV certificates--, and it is IMO a short coming of RFC7230 section 2.7.2 that it does not redefine the authority of the https-URI to include an optional legalentity that the security layer would use when verifying the url it is communicating with is not only the proper end point but also currently under control of the intended business relation.

authority     = [ userinfo "@" ] host [ "#" legalentity ] [ ":" port ]
legalentity   = *( unreserved / pct-encoded / sub-delims )
回复 原文
~没有更多了~

关于作者

单挑你×的.吻

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

留蓝

文章 0 评论 0

18790681156

文章 0 评论 0

zach7772

文章 0 评论 0

Wini

文章 0 评论 0

ayeshaaroy

文章 0 评论 0

初雪

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文