Certificate pinning in Ajax calls

About

Asked 1/4, 2016 at 14:24 Answered 1/4, 2016 at 15:59

Solved javascript ajax ssl ssl-certificate man-in-the-middle

I believe I already know the answer to this but I wanted to see if anyone had more insight into this problem. I have done certificate pinning in Android and iOS applications to make them more secure against man in the middle attacks. I am curious, can this same thing be done on a website which executes Ajax calls? I'm thinking not as the Javascript code could be modified during transport, has anyone had any experience with this?

Ruthanneruthe answered 1/4, 2016 at 14:24 Comment(0)

You might be interested in this: http://caniuse.com/#search=HPKP . Modern browsers already have support for public key pinning.

Also great article about preventing man in the middle attacks (or them making harder to pull off - as it seems "preventing" in a security context has a relative meaning): http://blog.scottlogic.com/2016/02/01/man-in-the-middle.html

And if you're feeling adventurous you can go really low level with a native implementation of TLS in JavaScript: https://github.com/digitalbazaar/forge/blob/master/README.md

Quarles answered 1/4, 2016 at 15:59 Comment(2)

This was very informative, thanks for the posts. After reading through them I ran a few more tests and found I came to another question regarding MITM attacks. If you have any insight it would be helpful, #36504863 – Ruthanneruthe 8/4, 2016 at 16:11

It looks like HPKP has been deprecated and then removed from Chrome. You might consider developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT, per Chrome's suggestion as a replacement. – Headreach 26/4, 2019 at 18:4

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags