1

In our company we have a very robust automation framework which we try to keep well maintained via unit tests. We have flags to set whether or not SSL certs should be ignored or not. In order to ensure that this feature we are adding does not get broken in the future, we wish to add some unit tests to the build process to prevent deploying a broken build.

Essentially - I have 3 browsers I want to support.

Internet Explorer - when SSL certificates are not secure takes me to a website where I can verify text on a page to assert that the SSL connection is secure or not.

Chrome however, displays the red 'Not Secure' message at the top of the page.

Does anyone know off hand if there is a javascript API to hook into chrome that will let me get a boolean value to indicate if the current page has a valid SSL Cert?

Baaleos
  • 1,703
  • 12
  • 22
  • Have you tried -> `window.isSecureContext` – Keith Mar 26 '18 at 10:21
  • ...and, the third browser? You mentioned IE and Chrome... – T.J. Crowder Mar 26 '18 at 10:22
  • @Keith: For me, on Chrome, `isSecureContext` is true for an `https` page with an expired SSL certificate. And a (very) quick review of the working draft document suggests that's in-spec (for the current working draft). – T.J. Crowder Mar 26 '18 at 10:23
  • Yeah, the third browser will be Firefox - I tried window.isSecureContext - however it returns true for even 'Not Secure' pages. Essentially - I am within an SSL session, but it is an untrusted issuer. Eg: An internal test environment. – Baaleos Mar 26 '18 at 10:26
  • Of course- I am open to other solutions outside of Javascript if anyone knows any that will work. Essentially, I just need to have Selenium detect the Insecure connection - so I can make my test fail, and then make it pass by correcting it. Eg: Test Driven Development / Red-Green etc – Baaleos Mar 26 '18 at 10:29
  • `however it returns true for even 'Not Secure' pages` Are they localhost?, if so there classed as secure, but none `https://` to external websites will return false. Also expired certificates & even self signed are still secure, the user does get a warning about this though, so continuing is there choice. – Keith Mar 26 '18 at 10:33
  • eg. From chrome open up the browser, and in the console on this website do -> `window.isSecureContext` you will get `true`.. Amazingly go to http://www.bbc.co.uk/news , yes, currently the going to the bbc news website is not secure, do the same you will get `false`. – Keith Mar 26 '18 at 10:38
  • The certificates in our case is for a test environment - it shows up as an invalid certificate and when I view the certificate - 'Windows does not have enough information to verify the certificate' I guess I don't so much want to tell whether https is in use, I want to detect if the certificate is valid and ultimately returns a 'Secure' green lock or 'Not Secure' red error in the address bar. – Baaleos Mar 26 '18 at 10:44
  • `returns a 'Secure' green lock or 'Not Secure' red error in the address bar.` I'm confused now, the browser is going to do that anyway. IOW: your test cert, if it's not valid should not be showing a secure green lock in the address bar. – Keith Mar 26 '18 at 10:50
  • To clarify - isSecureContext returns true, however it is a Red error in the address bar that says 'Not Secure'. I know it is an insecure connection (SSL Certificate is untrusted) - but how can my test detect that. This is the crux of the problem. I need the C# Code / Selenium test to detect the insecure connection. I only know it is insecure because I have eyes to look. It is not that fortunate. – Baaleos Mar 26 '18 at 10:58
  • Why don't you simply launch Chrome without the `trust unsecured certificates` option/capability? Navigating a page will then give you the unsecured page which should be easy to assert. – Florent B. Mar 26 '18 at 11:21
  • You can't do that using JavaScript. This existing question already answers your query https://stackoverflow.com/questions/2402121/within-a-web-browser-is-it-possible-for-javascript-to-obtain-information-about – Tarun Lalwani Mar 26 '18 at 11:27
  • I am not setting any trust unsecured certificates capability for chrome, there is nothing to assert on. The only visual indicator of the page being dodgy / unsecured is the red padlock symbol on the address bar. chromeoptions.AddArgument("--lang=en-gb"); chromeoptions.AddArgument("--enable-extensions"); chromeoptions.AddArgument("--enable-experimental-extension-apis"); – Baaleos Mar 26 '18 at 14:00
  • @Baaleos, Chrome trusts unsecured certificates by default. To disable the option: https://stackoverflow.com/questions/47315407/chrome-is-allowing-insecure-pages-via-webdriver/47316519#47316519 – Florent B. Mar 27 '18 at 08:24

0 Answers0