2

How to find out if chrome show a security warning for the user about the current page not been secure?

Not Secure

I been trying to use window.isSecureContext and check whether the location protocol is https but all turns out as true even so I can see the warring in my Chrome browser. So is there any way to get this information?

Ilya Gazman
  • 31,250
  • 24
  • 137
  • 216
  • Possible duplicate of [Check in Javascript if a SSL Certificate is valid](http://stackoverflow.com/questions/2618944/check-in-javascript-if-a-ssl-certificate-is-valid) – Heretic Monkey Feb 16 '17 at 23:23
  • Why would a clientside script need to test this? – Bergi Feb 17 '17 at 01:17
  • @Bergi because the client is a bank, and if Chrome think that the page is not secure the client want to be aware of that and show the proper message to the user. – Ilya Gazman Feb 17 '17 at 14:25
  • @Ilya_Gazman A user wouldn't believe any message from a page hist browser told him not to trust? It's too late anyway when the page arrives at the user with invalid certificates, the bank architecture should be properly designed so that this never happens. If it's just about monitoring the server certificates, the bank doesn't need to do it with JS. – Bergi Feb 17 '17 at 14:39
  • @Bergi There nothing server can do against men in the middle attack, there is no way to verify the client in js. So once the browser sees it, I would like to shut down the site for that user. – Ilya Gazman Feb 17 '17 at 14:44
  • You cannot protect the user from a mim attack, a mim could remove any script that "shuts the side down". The "not secure" alert from Chrome itself is the only message that the user can rely on; you might want to educate them about that though. – Bergi Feb 17 '17 at 14:55
  • @Bergi Yeah the attacker can change anything in the site, but this is not a reason for a site to not want to protect it self as much as it can – Ilya Gazman Feb 17 '17 at 15:01
  • Given it's pretty much pointless, there is no API that allows you to access this information – Bergi Feb 17 '17 at 15:21

1 Answers1

0

The short answer is No! It is impossible. Javascript is a clinet side language to deal with objects not communicate with servers and validate certificates.

The only possible thing is to check whether the protocol is https or not. The one that you see is actually a function something like this:

window.iSSecureContext = function() {return document.location.protocol == 'https'; }
Amir H. Bagheri
  • 1,416
  • 1
  • 9
  • 17
  • JavaScript is a general-purpose language and can be used for much more than "dealing with clientside objects" (including communication with servers), the question is rather whether a browser environment hosts the necessary interfaces. – Bergi Feb 17 '17 at 01:19
  • it must be `window.iSSecureContext = function() {return document.location.protocol == 'https:'; }` – nivas Feb 17 '17 at 05:31