0

When facing an untrusted SSL certificate, all browsers show a dialog asking you to accept or add the exception. This has been discussed in this link. I am interested in finding a way in Javascript to detect the untrusted SSL certificate error, then accept it to the browser's certificate list programmatically. Is there such Javascript API existed?

Community
  • 1
  • 1
JerryP
  • 517
  • 6
  • 10
  • 3
    If there were, every SSL interception toolkit would have this, and the security of SSL would not be worth anything. The entire strength of SSL is the certificate authority process which ensures (in theory) a certificate was not modified by a MITM attack. – Dark Falcon May 23 '13 at 20:47
  • 1
    Exactly as @DarkFalcon said- the point is to surface this to the USER and not let some script do bad things. – Steve H. May 23 '13 at 21:52
  • This would be a severe breach of user trust/security. – Qantas 94 Heavy May 24 '13 at 00:15
  • 1
    So I guess there's not a way to do this? The reason I am asking is because we see the untrusted SSL certificate when using iframe, but FireFox intentionally hid the "I Understand the Risks" section last year in [Bug 742645](https://bugzilla.mozilla.org/show_bug.cgi?id=742645). So if we can capture the error and accept the certificate programmatically in Javascript, then our users don't have to accept the certificate in a new window. – JerryP May 25 '13 at 17:15

1 Answers1

0

There is no possible option to programmatically accept untrusted certificates in Javascript or even directly install them.

It is important to understand why the web browsers interrupts the user and informs him about security concerns. Trusting only officially signed certificates is very important. Otherwise, may attacks such as man-in-the-middle would be easily possible.

If your questions is asked by your customer: Make sure your customer understands how certificates and encryption in general works and why web browsers do not trust any certificates.

Related question: Determine if ajax call failed due to insecure response or connection refused

Horace P. Greeley
  • 882
  • 1
  • 10
  • 18