HTTPS key negotiation and tunneling over HTTP using Javascript

Question

HTTPS is widely used for security online. It offers security and integrity, but not authentication. To ensure the client is not talking to a man-in-the-middle, we have digital certificates and the PKI. It all works very well, except in the situation where the following criteria apply:

• The server and client do not share a common, trusted root CA, therefore they cannot validate each other's certificates
• Circumstances (eg. firewall, permissions, etc) do not permit the use of regular HTTPS protocol

The question is: can we still send secure, authenticated messages between the client and server, perhaps using Javascript?

Something along the lines of:

1. Client sends regular HTTP request to server
2. Server responds with page containing Javascript code
3. Client's Javascript asynchronously sends data to the server used to negotiate
4. Server runs some sort of script (eg. PHP) to establish the tunnel
5. Client and server communicate over the encrypted tunnel

I can see it being possible to send messages with security and integrity in this manner, but is it possible to authenticate without making use of the PKI, perhaps by exploiting the fact that the server can dynamically rewrite the Javascript sent to the client?

Answer 1

There is an issue in your step 2 - Server responds with page containing Javascript code : how do you know someone sitting on wire is not modifying this Javascript since it is being transferred in plaintext? Basically, when X wants to authenticate Y, X should know something about Y- it could be public information such as public key/certificate or shared secret that it could verify