Re: Can a Browser's Certificate Verify Its Identity?

From: Felix Tiede (tiede_at_pc-tiede.de)
Date: 03/27/05 

Date: Sun, 27 Mar 2005 14:18:04 +0200

smai wrote:
> You are correct. I was hoping that the certificate would identify the
> browser vendor and version, and that it could be relied upon to be
> true. That way, I can verify that those browsers do not cache pages
> that I don't want to be cached, and I can restrict access to only those
> browsers.
>
>
> Regarding the question of a client-less VPN... I am not looking to
> build a clientless VPN. I am looking to build a web application that
> allows employees to check sensitive corporate information from a remote
> location through a web browser. I want to be sure that the information
> is not cached on the remote computer. MSIE will obey the no-cache HTTP
> headers; therefore, I would like to validate that the user is browsing
> the site from that MSIE browser.
>
> Finally, I agree with the previous poster that I should not trust the
> user-agent string in the HTTP header through non-secure communication.
> However, can I trust it when it is secure (HTTPS/SSL)? If not, is that
> information available to be read from the browser's certificate?
>

No. SSL-Client-Certificates (which you can/should use to authenticate the
client) are not bound to any browser. The client can use it with any browser
which supports client-certificates.

Yes, the HTTP-Request (and the UA-string) will be transferred encrypted to
your server but that does not ensure that it wasn't faked before it was
encrypted.

HTH, regards
Felix

Relevant Pages

  • Re: How to starthandshake with client browser??
    ... >> And then what should i do to handshake with browser? ... > getting the browser to trust your certificate. ... 1-Open an SSL server Socket ... 2-Wait for a connection (from your client web browser). ...
    (comp.lang.java.programmer)
  • Re: [Full-disclosure] OpenID/Debian PRNG/DNS Cache poisoning advisory
    ... Note that shutting down the site DOES NOT prevent the attack. ... Isn't this a good argument for blacklisting the keys on the client ... to accept any certificate containing one of them. ... without blowing out the size of a browser. ...
    (Full-Disclosure)
  • Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
    ... Note that shutting down the site DOES NOT prevent the attack. ... Isn't this a good argument for blacklisting the keys on the client ... to accept any certificate containing one of them. ... This has side effects but perhaps they can be made statistically very unlikely, without blowing out the size of a browser. ...
    (Bugtraq)
  • Re: Attempt to de-mystify AJAX
    ... > conviction when we know the client is leading ... > code into the browser that it's now just as thick as anything people ... > 1) IT used to think BUI development was easy. ... > 2) Therefore IT people advocated thin client. ...
    (comp.databases.pick)
  • Re: Music and Arts website question
    ... I find that if I use my browser to select a secure page at the ... However, the security certificate ... When you access to a website that uses SSL, ... decide whether to trust that the server is who it claims to be. ...
    (rec.music.classical.recordings)