Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"
 
PerlMonks  

Extract digital signature from HTTPS response

by stringZ (Acolyte)
on Feb 25, 2013 at 08:01 UTC ( #1020470=perlquestion: print w/ replies, xml ) Need Help??
stringZ has asked for the wisdom of the Perl Monks concerning the following question:

Hi Monks,

I'm using LWP with SSL (HTTPS) support and I would like to somehow grant the authenticity of received HTTPS replies (or packets). For example I download "textfile.txt" through HTTPS, I would like to extract a digital signature (or something like this) that certifies that the file was downloaded from that server from that URL and the content hasn't been modified. Is this possible?

Thanks

Comment on Extract digital signature from HTTPS response
Re: Extract digital signature from HTTPS response
by Corion (Pope) on Feb 25, 2013 at 08:11 UTC

    The closest you can get is to verify the hostname and certificate by using the ssl_opts option. Once you have saved the file to disk, there is no way to assure its integrity.

    You could sign the file from your program, maybe using gpg, while writing it, but nothing prevents somebody with access to the machine/account to sign other files as well.

      Thanks for the reply. What about IO::Socket::SSL?

        Once your text file has been written to disk, there is nothing that SSL can do to help you.

        Maybe you can somehow use the public part of the SSL key of the remote side to sign the file, but that will require understanding of the SSL protocol which I don't have.

Re: Extract digital signature from HTTPS response
by soonix (Curate) on Feb 25, 2013 at 09:50 UTC
    Another way for this would be a signature by the remote server.
Re: Extract digital signature from HTTPS response
by sundialsvc4 (Abbot) on Feb 25, 2013 at 13:49 UTC

    SSL connections provide several ways to restrict the acceptable certificate values that are presented, although these features are not commonly used in the Wooly Wild Internet.   Connection verification should be done at a protocol level.   Man-in-the-middle attacks should be prevented thereby.   If you trust the server you’re talking to, or the client you’re listening to, then HTTPS will transfer the bytes correctly.

    Another way to do it on a more general scale is to use VPN with individually-issued digital certificates.

    “Trust,” however, can be a big question, because, in the case of a data file, you must trust the file not the transport.   “Even if the message is being delivered by carrier pigeon, you must be able to trust the message, not the bird.”   If you return to the message weeks or months after delivery, you must still be able to authenticate its content.   The only way to do that is with a cryptographically signed file.   Tools like gpg can do that, whether or not the message itself is encrypted.   Your entire company workflow, not just this Perl program, must support that in order for it to be meaningful.

      Here is what I want:

      I go to https://www.secure.com, navigate to a specific page on the site, then save its content to a file. As long as the page is in the browser, the HTTPS protocol itself grants the authenticity of the page, but after saving it to a file, anyone can modify it. Let's say I don't trust myself and nobody trusts me, but I must prove that this page, that has been saved to disk, has original content generated by www.secure.com. I can't sign it with my own-generated private key because as I mentioned, nobody trusts me. They only trust www.secure.com. So I would like to save either a raw HTTPS content or a decrypted HTTP response with a digital signature that can be verified if someone takes a look at the (cert / public key / whatever) of www.secure.com.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://1020470]
Approved by tmharish
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (11)
As of 2014-12-21 14:33 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (106 votes), past polls