Reputation: 495
Detect if webpage loaded using untrusted SSL certificate in javascript
Is there a way to detect in JavaScript if the site was loaded over HTTPS using an SSL certificate untrusted by the browser (but accepted by the user)? I.e. it is invalid/expired/self-signed SSL certificate.
window.isSecureContext does not indicate this, it is true in all cases I tried on my own and on badssl.com if the page is loaded over HTTPS.
My use case: I am trying to use ApplicationCache but it refuses to work: on Chrome it fires the error callback with exception message "Manifest fetch failed (9)", on Firefox it fails silently.
As this means the browser behaves differently I hope it is detectable and I would like to make sure ApplicationCache is skipped altogether when it cannot be used.
I'd not like to create a seperate SSL connection from a JavaScript (user might have certs of custom CAs installed, etc.), nor try-catch an exception with ApplicationCache.
Upvotes: 5
Views: 2369
Answers (2)
Reputation: 3
Is there a way to detect in JavaScript if the site was loaded over HTTPS using an SSL certificate untrusted by the browser (but accepted by the user)? I.e. it is invalid/expired/self-signed SSL certificate.
Yes, it is possible, however it requires more than just JavaScript on the client.
You can setup a server that takes a https link and returns whether the certificate is valid. This way, by using a JavaScript fetch command you can verify whether or not the certificate is trusted/valid.
Upvotes: 0
Reputation: 123280
A webpage can not load over an untrusted SSL certificate. It might load over a certificate which is not publicly trusted but where the user has explicitly added an exception - which means that the user trusts the certificate.
It seems that you want to know instead if your site was loaded with a different certificate then your server provides, i.e. if there is some active man in the middle between the client and your server, like a SSL intercepting company proxy or a local antivirus product. For this you need to know the certificate details and compare these with your expectations. Unfortunately this is not possible from pure Javascript.
For more on this see Within a web browser, is it possible for JavaScript to obtain information about the HTTPS Certificate being used for the current page?, Is there a way to get SSL certificate details using JavaScript?. For an alternative approach of detecting the MITM at the server side see Detect man-in-the-middle on server side for HTTPS or Detecting HTTPS Interception (with the caddy webserver).
Upvotes: 3
Related Questions
- Detect HTTP or HTTPS then force HTTPS in JavaScript
- How to check if website was loaded securely
- Check in JavaScript if an SSL Certificate is valid
- Detect if browser has TLS enabled
- Detect unsecure ssl-Connection
- How can I use JavaScript on the client side to detect if the page was encrypted?
- How to determine if https connection is browser-validated as secure
- Can a page detect when user has loaded it insecurely
- Check web page url and make https if entered as http
- Determine protocol used to load javascript