Geek Answers Handbook

Something unique in a user machine with JavaScript?

Here's the idea: If I can get something unique about a computer with JavaScript from an HTML page (possibly a MAC address), can I use this data as another security check? Is it possible?

I will not check the computer on the client side, I will send it to the server to check. If nothing is sent, the user will be blocked. So this is not something that any combination of developer + firebug can work around. I just want to send another line with a username and password that is unique to the computer, and no one knows if they will enter the system from this computer. Like a password hidden from the user himself.

+7
source share
3 answers

  • You can try using tracking cookies; Please note, however, that such mechanisms are considered transient (for example, cookies may be deleted). In the browser, JavaScript is isolated from sand, so that it does not have access to components outside the page. Please also note that any sense of security that you get with JavaScript is illusory - the script works on the client side, where it can be changed (so there is no way to determine if the "unique" part of the data is genuine or fake) or in general disconnected.

  • If you are trying to prevent random people from hacking your application, you can ban them after a certain number of unsuccessful attempts. It will not give you any security, it is more like a flytrap - it limits the troubles a little.

  • Finally, if you want real security, go to HTTPS with real (unauthorized) server certificates and client - side certificates - see, for example, this for implementation (this example, however, uses self-signed server certificates, which is not very secure). This is a mechanism that is well implemented in the browser itself and provides you with some secure system (complete with a secure keystore) for identifying your users (as opposed to the fundamentally erroneous JS security) or relying on user capabilities, readable files). Oh, and your data is encrypted during the wires, which is a bonus.

SSL actually does what you ask for: verifies that the client computer has a certificate issued to this user. This mechanism works inside the browser, and not just inside the web page; thus, it’s much harder to undermine this than the built-in JavaScript. It stores a large unique identifier (client certificate) in a secure manner and can prove to the server that it actually has that identifier, which is pretty much your initial requirement.

(By the way, using SSL, the data will be protected along the way, and the client can check the server identifier, these are not your requirements, but they are more or less necessary to ensure that you are actually talking with the real client and the real server)

+5
source

JavaScript inside a web browser runs in a sandbox and does not have access to basic hardware. In addition, MAC addresses are not guaranteed to be unique.

+1
source

Not. And you should not implement JavaScript security only if any competent Firebug developer wraps around instantly.

0
source

More articles:


All Articles