Can a page detect when user has loaded it insecurely

Question

Is there any way on an HTTPS page to detect (via javascript) whether the user has loaded the page despite SSL certificate problems?

Normally browsers make users click through several exception warnings and turn the address bar red, but in some contexts users may ignore this, and as an author of an application, I'd like to place additional in-application warnings to warn users against doing this. It would also be useful to be able to log such events.

I don't think this information is exposed to javascript at this time: http://stackoverflow.com/questions/2604399/is-there-a-way-to-get-ssl-certificate-details-using-javascript — some, Aug 01 '14 at 14:00
@Nebril It depends on the browser vendor and version, but I know I sometimes do it in Firefox (it required clicking through 3 screens of browser warnings, but a generic warning is never going to be as effective as one specific to the page) — Fabio Beltramini, Aug 01 '14 at 17:01
This comes very close... http://stackoverflow.com/questions/4129496/detect-broken-lock-icon-mixed-secure-insecure-content-from-javascript?rq=1 — Fabio Beltramini, Aug 01 '14 at 20:41
Define "SSL certificate problems." Do you mean if the site is using a certificate not from a valid CA? Like a self-signed certificate for testing purposes? This would be site specific anyway and so all users would get same warning. Please clarify. — nothingisnecessary, Apr 30 '16 at 09:47
@nothingisnecessary Any situation in which the user had to click through SSL warnings to load the page. For example (1) loaded the page through a different hostname, (2) did not have the requisite CA in their trust store, (3) expired certificate, (4) certificate not from a CA, etc. — Fabio Beltramini, May 02 '16 at 00:21

score 6 · Answer 1 · edited May 02 '16 at 03:34

6

The short answer it that you can't.

The reason for this is that if you could it could raise some security issues.
The SSL validation is done by 3rd party components in the browsers and you don't have and way of "asking" the browser for the status.

For example in Chrome

The implementation itself is part of the browser code and not part of the V8 engine which is the JavaScript engine used by Chrome

So the answer is No, you can't tell if the connection is secured or not.

The only thing you can know with JavaScript is the protocol and not more than that.

edited May 02 '16 at 03:34

Mårten Wikström

11,074
5
47
87

answered Apr 27 '16 at 23:17

CodeWizard

128,036
21
144
167

"if you could it could raise some security issues." Could you elaborate, it's not clear why/how this is so (beyond any issue already present if the user is being MitM'd or simply visiting a fake site) – Fabio Beltramini Apr 30 '16 at 06:35
Also, for me to accept an answer of "No", it would be helpful to have some link to an authoritative source, rather than just a claim that it's not so. – Fabio Beltramini Apr 30 '16 at 06:37

score 4 · Answer 2 · edited May 23 '17 at 11:52

4

The Javascript in your browser doesn't have function to do this. You need to use an another language to get it.

Alternative 1 :

You can use an ajax request to get SSL info, with extern API like How's My SSL? or with your own PHP page with JSON response.

Alternative 2 :

Or you can print SSL info (last link) with php in your page, in js variable.

See :

Can "Show Insecure Content" Browser Prompt Be Detected?
How's My SSL?
How to get SSL certificate info with CURL in PHP?
Firefox has SSleuth addon (javascript) that ranks an established SSL/TLS connection to estimate the connection strength. It also gives a brief summary of the important SSL/TLS connection parameters.

edited May 23 '17 at 11:52

Community

1
1

answered Apr 30 '16 at 17:08

user2226755

12,494
5
50
73

If I understand correctly, "How's my SSL" doesn't test the same thing (but is a really cool tool). It reports on SSL capabilities of a client in general, and not on the status of a given pageload in the client. As for using your PHP script, the link is for a PHP script that tests a given host which is not representative of the client's connection to that same host – Fabio Beltramini May 02 '16 at 00:32
Although your answer doesn't answer the question completely, it still covers some cases (hostname mismatch, expired certificate) and is helpful. I am awarding the bounty, but still hoping at some point a more complete one would be available (e.g. one that covers (a) user not having the requisite CA in their trust store, (b) certificate not from a CA, e.g. due to casual MitM) – Fabio Beltramini May 03 '16 at 04:04
@FabioBeltramini I don't have enought knowledge on SSL to explain more. Or to improve my reply. – user2226755 May 03 '16 at 16:55

score 3 · Answer 3 · answered May 01 '16 at 19:27

3

Have you considered using online tools that analyze a site and provide a status? Something like https://www.jitbit.com/sslcheck/ might work.

answered May 01 '16 at 19:27

ArcSine

648
6
14

This idea is at least helpful for a subset of the causes (host mismatch, certificate expiration)... though it still won't help for all situations (bad proxy, missing CA in trust store). Thanks – Fabio Beltramini May 02 '16 at 00:29

Can a page detect when user has loaded it insecurely

3 Answers3

For example in Chrome

Alternative 1 :

Alternative 2 :

See :