I believe I already know the answer to this but I wanted to see if anyone had more insight into this problem. I have done certificate pinning in Android and iOS applications to make them more secure against man in the middle attacks. I am curious, can this same thing be done on a website which executes Ajax calls? I'm thinking not as the Javascript code could be modified during transport, has anyone had any experience with this?
Asked
Active
Viewed 5,222 times
1 Answers
6
You might be interested in this: http://caniuse.com/#search=HPKP . Modern browsers already have support for public key pinning.
Also great article about preventing man in the middle attacks (or them making harder to pull off - as it seems "preventing" in a security context has a relative meaning): http://blog.scottlogic.com/2016/02/01/man-in-the-middle.html
And if you're feeling adventurous you can go really low level with a native implementation of TLS in JavaScript: https://github.com/digitalbazaar/forge/blob/master/README.md
bug-a-lot
- 2,446
- 1
- 22
- 27
-
This was very informative, thanks for the posts. After reading through them I ran a few more tests and found I came to another question regarding MITM attacks. If you have any insight it would be helpful, http://stackoverflow.com/questions/36504363/securing-web-server-against-mitm-in-safari – Bobbake4 Apr 08 '16 at 16:11
-
2It looks like HPKP has been deprecated and then removed from Chrome. You might consider https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT, per Chrome's suggestion as a replacement. – Peter Apr 26 '19 at 18:04