Browser client side check of ssl certificate fingerprint in order to detect MITM attack

I have the following problem:
For a secure website that serves only ssl pages, but uses a self signed ssl certificate, I want to be able to check the ssl certificate fingerprint found at the client side, against the known finger print of the certificate that would be send with the page to the client browser.

I believe that by comparing these 2 values, a MITM attack can be detected because the ssl finger print of the MITM attacker would be different.

I have tried to find this in javascript but have not been able to find the solutions there.

I hope that the experts here might have a solution for this problem...
raymondfpAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Patrick BogersDatacenter platform engineer LindowsCommented:
Hi

Not sure if this can be (easily) achieved.
IMHO you should assign clients that visit/login with a unique and completely random sessionID bound to that user which makes it more easy to protect from MITM attacks.
0
raymondfpAuthor Commented:
Hi Patrick,
A sessionID can easily be hijacked and is more used for identifying the current interaction session. I allready use an unique sessionID to register each login and all actions(page requests) related to that login.
But the sessionID does dot protect nor detect when your connection is intercepted by means of an MITM attack from the start (before you login).

I think the only way to detect a MITM attack is by verifying the ssl fingerprint found at the client side with the fingerprint of the server.

The only client side checks I could think of are javascript and java.
0
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi Raymond,

If you make sure your website is free of XSS and CSRF vulnerabillities sessionID's are NOT easily hijacked. Especially not if they are bound to an ip address and have a TTL for the during of the session.
To me this is the best way. (we use it in our sites we host for big financials)

BTW: Of course your biggest weakness is the self signed certificate. If security is that important you should buy a cert from a trusted CA.
0
Dave BaldwinFixer of ProblemsCommented:
I think you are going to find that the SSL fingerprint is not accessible from a web page with javascript or anything else.  But here is a lot of information about the subject:  https://www.grc.com/fingerprints.htm
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
raymondfpAuthor Commented:
Hi Patrick,
You are correct regarding it not being easy to hijack a session in the conditions that you describe.
Actually I am not so much concerned about the type of MITM attacks that are done using those type of vulnerabilities.
I am more concerned about interception using eg. DNS spoofing.
Normally the browser would show that there is something wrong with the certificate.
However, because the webserver uses a self signed certificate, users will allways get a messages and are instructed to allways continue. Therefor, there is no abnormality that alerts the users when an MITM attack by means of DNSspoofing is in progress.
At the moment, the only thing that I can think of regarding detecting such an attack is to check the certificate that is being used because it is very difficult to almost impossible for the attacker to reproduce the certificate.

That is why I am looking for a way to get the certificate info at client side.
If it is the key I can generate the fingerprint and compare it with the known server fingerprint.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.