4

An Adobe FLEX 4 object loads from a webpage and runs in the browser. The connection between browser and server is secured using SSL over HTTP (HTTPS) with a secure certificate from a valid Certificate Authority.

Can FLEX code read the secure certificate information and retrieve information such as to whome the certificate was issued, when it is valid, and for what domain it was issued, etc. ?

Craine
  • 41
  • 1
  • 1
    Not that I know; why would you want to / need to do this in Flex? I wouldn't even except this information to be available via HTML or JavaScript. – JeffryHouser Jul 19 '11 at 19:07
  • I imagine it's because he wants to display something to the user to let them know they're on a secure connection, maybe within an app where SSL is not required but recommended as GMAIL used to be? – Jonathan Rowny Jul 19 '11 at 19:45
  • 1
    There's an answer in this post: http://stackoverflow.com/questions/2402121/within-a-web-browser-is-it-possible-for-javascript-to-obtain-information-about-t which tells you how to do it with JavaScript/Python tool called Forge. You can use the ExternalInterface to access it. – Jonathan Rowny Jul 19 '11 at 19:55
  • It is possible for a Man-in-the-Middle attack to examine or even alter all communication to and from the web browser. Even if HTTPS is used. For instance a free tool like Fiddler can do this easily. I would like the FLEX component to check the specifications of the Secure Certificate to ensure the certificate belongs to the website/server that the FLEX component trusts. An attacker will find it very difficult to emulate the Secure Certificate in that way. – Craine Jul 25 '11 at 19:51
  • @Craine If a man-in-the-middle attack is able to compromise the SSL connection then it will be possible to alter the original flex component which does the validation to remove the validation code, or change the validation data (fields or hash) so that the component incorrectly validates the attackers certificate. That said, here's a method of using digital signing to authenticate content of a SWF which may be helpful: http://stackoverflow.com/questions/6335096/codesigning-swf/6885784#6885784 – Luke Van In Aug 04 '11 at 17:35

2 Answers2

0

No, browser - i.e. flash player is different sandbox which cannot access browser for certificate.

Harit K
  • 358
  • 1
  • 3
0

No. Flex uses the browser for all it's http requests. The browser and underlying system handles all certificates, cookies, etc...

If the certificate is not valid, the user will receive an alert, atleast in Air apps that I know of.

Mike007
  • 530
  • 1
  • 5
  • 10