All geek questions in one place

Certificate Retention in Ajax Calls

I believe that I already know the answer to this question, but I wanted to see if anyone has a deeper understanding of this problem. I made certification in Android and iOS apps to make them more protected from people in medium attacks. I am curious if this can be done on a website that makes Ajax calls? I don't think Javascript code can be changed during transport, does anyone have any experience?

+5
source share
1 answer

You may be interested in: http://caniuse.com/#search=HPKP . Modern browsers already have public key support.

Also a great article on preventing people in medium attacks (or it’s more difficult to pull them out - as it seems, “prevention” in the security context makes relative sense): http://blog.scottlogic.com/2016/02/01/man-in-the -middle.html

And if you feel adventurous, you can go to a very low level with your own TLS implementation in JavaScript: https://github.com/digitalbazaar/forge/blob/master/README.md

+4
source

Source: https://habr.com/ru/post/1246243/

More articles:


All Articles