I created a dashboard to view some basic info about the TLS certificates that I manage for various websites, including days to expiration, Issuer, Issuer Common Name, and certificate common name. It's also useful for enterprise infrastructure if you have to manage lots of web server certificates as part of a security or ops team.
I use a node module to scrape the peer certificate info, and then dump it into a file that a web page picks up. It's not real-time, out of concern for too many people hitting or reloading the page and kicking off too many connection attempts at once.
I would really appreciate if browsers could implement some kind of Javascript API for retrieving Cert information of the current page. (In my opinion it would make more sense than the Battery Status API [1])
For the current page? What could you usefully do with that information? You should know what certificate you're serving, and if it isn't that certificate, the page is hopefully not being displayed at all. The browser should be protecting the user from MITM.
If you, as a site owner, expect your page to be served over SSL, turn on Strict Transport Security, enable TLS, and turn off HTTP. STS will prevent someone from using sslstrip on you (STS means the browser won't talk to the site over HTTP after the first observance of the header, at least until expiry), and you can easily configure your web server to 301 all comers to a TLS connection.
If you want to detect and prevent MITM via client side code, you can't - if the page has been MITM'd the attacker can remove or modify your client side code. If the page has been served over an MITM'd TLS connection (e.g. enterprise proxy, etc), then your code is unreliable, and the attacker (and yes, your enterprise proxy is an attacker) can remove or modify your client code.
If you want to use the certificate information to present information to the user, then you are attempting to train the user to trust security details about the connection in remotely loaded content instead of browser chrome (think lock icons in content vs. address bar indicators), and browser vendors don't like that, since it promotes bad habits.
I can't think of a single practical use for inspecting the certificate from Javascript.
On the other hand, if I as a site owner run a battery intensive site, I can observe the battery and notify the user that I am about to use all their power.
You may laugh. But in an enterprise, it is the CA's job internally to help manage and communicate expirations to users. If there are 10,000+ certs in an org, you want a tool to manage them.
Fair point that it's the CA's job, but typically their solution is "We'll send you emails at certain thresholds". That kind of thing tends to get lost in the noise of daily work, especially at places with poorly defined processes.
I've also worked places that used multiple CAs, and that makes it more difficult to manage. This at least can pull the info in based on what the server is actually using, and puts everything on one screen, regardless of the CA it came from.
I use a node module to scrape the peer certificate info, and then dump it into a file that a web page picks up. It's not real-time, out of concern for too many people hitting or reloading the page and kicking off too many connection attempts at once.
An example is here: https://craine.gitlab.io/tls-dashboard/