0

PHP server-side and Javascript client-side: How to detect a man-in-the-middle-attack or deep-packet-inspection ?

I want to add an extra layer of security on a website. I am using a letsencrypt ssl certificate on my linux server. A legitimate user accesses my website using https, but he is not in control of the (company issued) device/browser he is using. It might be, that an extra ssl certificate has been added to his browser to enable a man-in-the-middle-attack or deep-packet-inspection e.g. at the firewall. If this is the case, a warning or some alternative content should be echo'ed in PHP. I am thinking along the line of client-side Javascript sending back to the server some data about the certificate in use at the browser and then comparing this to the certificate data visible at the server.

I am aware, that a very dedicated man-in-the-middle could fabricate all communication and change the Javascript code at the client and then detection would be impossible. But I want to make it to detect 'common'/'simple'/'standard tools using' man-in-the-middle-attack or deep-packet-inspection.

Wolf
  • 7
  • 5
  • Generally you would use digital signatures (as in JWT/JOSE or [Paseto](https://paragonie.com/blog/2018/03/paseto-platform-agnostic-security-tokens-is-secure-alternative-jose-standards-jwt-etc)) to sign the payload. – Jared Farrish Nov 02 '19 at 13:33
  • 1
    As far as "deep packet inspection", unless the packets themselves are changed, I don't think you can detect this? – Jared Farrish Nov 02 '19 at 13:35
  • I want to detect the presence of the man-in-the-middle by detecting tampering with certificates. A mismatch of signatures of the data payload would show only if payload packets had been changed. – Wolf Nov 02 '19 at 17:28
  • I don't think PHP is relevant for detecting network-level tampering as you're describing. It doesn't establish the transport layer, the server technology (nginx, apache) does. If you were connecting with Guzzle or something, perhaps, if you could control or at least access the key exchange, but for requests of over http, that seems closer to wire sniffing. – Jared Farrish Nov 02 '19 at 18:11

0 Answers0