1

I was wondering whatever there is way to check in JavaScript that the website was loaded fully securely, and that it was not modified on user's site (for example by malicious addon)

I found that often such malicious addons are breaking SSL by adding adverts or other malicious scripts, therefore I am wondering how could I detect mixed content warning such as displayed on this image: mixed content example (the image taken from https://www.ssl2buy.com/wiki/fix-mixed-content-nonsecure-items-error-on-ssl-secure-site )

I have found the following questions, however I believe that those questions do not fully answer my question:

My question is how to detect if website was loaded insecurely (or modified at user's end), even if protocol used was https://

side note: I know that such script could be easily deleted by an addon that adds the malicious scripts/adverts/etc., however I prefer to have additional layer of security.

vakus
  • 732
  • 1
  • 10
  • 24
  • I am not sure it is possible. It is beyond what JavaScript can do. – Praveen Kumar Purushothaman Jul 19 '17 at 11:57
  • I see, it was something I was expecting while asking this question. I will however leave the question here, in case someone would find some genius solution to this problem – vakus Jul 19 '17 at 12:15
  • SSL is not broken, the page is composed of multiple resources with multiple requests and not all are SSL. Read the messages closely. – zaph Jul 19 '17 at 14:02
  • 1
    @zaph: Of course it does not actually break SSL but a manipulation of the DOM, especially mixed-content enables Man-in-the-Middle-Attacks, hence bypasses the underlying security concept. I guess this is what the author is trying to address and in my view it is a valid concern. – user1532132 Jul 19 '17 at 20:13
  • There are a number of APIs which have altered functionality when the page is not secure, e.g. MediaDevices... could one of these be used somehow? – user9645 Feb 07 '23 at 18:40

1 Answers1

1

I was wondering whatever there is way to check in JavaScript that the website was loaded fully securely

Well assuming a malicious addon is able to manipulate your DOM content I belive you can't.

You can however check whether the page was loaded fully encrypted.

One approach for doing so is to check the protocol of A) the current URL and B) all href and src attributes in your DOM. But this cannot proof that your page was loaded fully securely. It may only confirm that all loaded content on your site was encrypted, but an attacker can (and they actually do) get a TLS/SSL certificate (e.g. using letsencrypt) and simply distributes its malicious code using HTTPS. Furthermore, you would have to check your DOM for iFrames which might also be able to execute malicious code.

The only thing you could do that might addresses the issue is to check all hrefs & src as mentioned above and additionally compare them against a whitelist.

Eventually as you already mentioned, your script can be easily blocked by the malicious addon. Therefore, I am not convinced such a script is worth the time.

user1532132
  • 827
  • 2
  • 10
  • 19