1

The Question

Is there a way to detect wether a visitor trusts the SSL connection/certificate? I really could not find anything on the web or on stackoverflow. I think it's a pretty uncommon question.

A Use-Case

I'm using a certificate from StartSSL. It works fine for most common and modern browsers. But on my Windows Phone using IE I get a warning. That's because the root certificate is not known to IE on Windows Phone by default.

The solution is easy: just download the certificate - two clicks/taps. I would like to provide a tiny guide to the common visitor on how to do this. However, only visitors with problems should get the message.

Arne L.
  • 2,194
  • 19
  • 19

2 Answers2

1

Visitors who connect to your site via HTTPS simply won't get to your site if they don't trust your certificate. Once an exception has been added, there's no way for you to determine whether or not it's generally trusted or an exception.

Perhaps you could try to build a list of user-agents and make a guess as to what their default CAs should be, so as to be able to display an additional message in this case. It's not a perfect rule (since you can never full control what the client trusts, it's the user/admin's responsibility), and has the disadvantages of user-agent specific content; in particular, it's not necessarily reliable, you won't have a complete database, and users who've already added the exception or imported the certificate permanently would see this additional message (unless you use something like a cookie to remember).

If your initial page is over plain HTTP, you might be able to try an XHR request to your HTTPS site and report whether it worked at all. (You might need to take into account the Same Origin Policy.)

Bruno
  • 119,590
  • 31
  • 270
  • 376
  • I tried using an XHR request, but didn't get it working. I'm not very experienced on this subject. Therefore, I would be glad to hear from somebody else. At the moment I'm thinking about using a user-agent whitelist. Visitors with a browser not being on this list will get a message displayed where apropriate. – Arne L. Sep 22 '12 at 06:30
-1

I am not sure whether there is a foolproof way to auto-detect this condition. You may have to rely on a workaround.

Detect whether the request is from a phone by inspecting user-agent in the header, check whether it's the first time they are accessing your site (absence of your site's cookie etc.) and if they are first time user, redirect response to (HTTP) page with instructions to install the certificate. You can provide a check box on that page for users to supress that redirect behavior in furture. If they want it to be supressed, set a cookie, or store their preference on server (if there is authentication).

helios
  • 2,603
  • 4
  • 21
  • 26
  • If the client doesn't trust the certificate, the SSL connection is never formed at all, so you won't even have any headers to look at. – user207421 Sep 21 '12 at 21:10
  • The problem is not limited to mobile browsers. It could also be an old one or a self-compiled or or or. – Arne L. Sep 22 '12 at 06:37