|
Um, why? If you, as a site owner, expect your page to be served over SSL, turn on Strict Transport Security, enable TLS, and turn off HTTP. STS will prevent someone from using sslstrip on you (STS means the browser won't talk to the site over HTTP after the first observance of the header, at least until expiry), and you can easily configure your web server to 301 all comers to a TLS connection. If you want to detect and prevent MITM via client side code, you can't - if the page has been MITM'd the attacker can remove or modify your client side code. If the page has been served over an MITM'd TLS connection (e.g. enterprise proxy, etc), then your code is unreliable, and the attacker (and yes, your enterprise proxy is an attacker) can remove or modify your client code. If you want to use the certificate information to present information to the user, then you are attempting to train the user to trust security details about the connection in remotely loaded content instead of browser chrome (think lock icons in content vs. address bar indicators), and browser vendors don't like that, since it promotes bad habits. I can't think of a single practical use for inspecting the certificate from Javascript. On the other hand, if I as a site owner run a battery intensive site, I can observe the battery and notify the user that I am about to use all their power. |