Reputation: 740
How to check if website was loaded securely
I was wondering whatever there is way to check in JavaScript that the website was loaded fully securely, and that it was not modified on user's site (for example by malicious addon)
I found that often such malicious addons are breaking SSL by adding adverts or other malicious scripts, therefore I am wondering how could I detect mixed content warning such as displayed on this image:
(the image taken from https://www.ssl2buy.com/wiki/fix-mixed-content-nonsecure-items-error-on-ssl-secure-site )
I have found the following questions, however I believe that those questions do not fully answer my question:
- How can I use JavaScript on the client side to detect if the page was encrypted?
- How do I determine whether a page is secure via JavaScript?
My question is how to detect if website was loaded insecurely (or modified at user's end), even if protocol used was https://
side note: I know that such script could be easily deleted by an addon that adds the malicious scripts/adverts/etc., however I prefer to have additional layer of security.
Upvotes: 1
Views: 424
Answers (1)
Reputation: 837
I was wondering whatever there is way to check in JavaScript that the website was loaded fully securely
Well assuming a malicious addon is able to manipulate your DOM content I belive you can't.
You can however check whether the page was loaded fully encrypted.
One approach for doing so is to check the protocol of A) the current URL and B) all href and src attributes in your DOM. But this cannot proof that your page was loaded fully securely. It may only confirm that all loaded content on your site was encrypted, but an attacker can (and they actually do) get a TLS/SSL certificate (e.g. using letsencrypt) and simply distributes its malicious code using HTTPS. Furthermore, you would have to check your DOM for iFrames which might also be able to execute malicious code.
The only thing you could do that might addresses the issue is to check all hrefs & src as mentioned above and additionally compare them against a whitelist.
Eventually as you already mentioned, your script can be easily blocked by the malicious addon. Therefore, I am not convinced such a script is worth the time.
Upvotes: 1
Related Questions
- Detect if browser has TLS enabled
- Detect if webpage loaded using untrusted SSL certificate in javascript
- Detect unsecure ssl-Connection
- How can I use JavaScript on the client side to detect if the page was encrypted?
- How to determine if https connection is browser-validated as secure
- Can a page detect when user has loaded it insecurely
- I want a way to know if a particular web page is completely loaded using javascript
- Check web page url and make https if entered as http
- PHP / JavaScript check SSL
- How to verify that secure https pages load without any browser warnings?