Win a copy of Svelte and Sapper in Action this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Bear Bibeault
  • Junilu Lacar
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • salvin francis
  • Frits Walraven
Bartenders:
  • Scott Selikoff
  • Piet Souris
  • Carey Brown

check if my browser supports SSL or TLS

 
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is there any way in GWT or Javascript to identify which security my browser is enabled with TLS or SSL?
I want to show the user a popup based on that?
 
Rancher
Posts: 43016
76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
All major browsers implement TLS. SSL support is successively being turned off due to the weaknesses in the SSL protocol - current or upcoming versions of Firefox and Chrome no longer support it, and other browsers are likely to follow suit. The client test at https://www.ssllabs.com/projects/index.html should be of interest.

What kind of information are you trying to convey to the user by showing this?
 
badri mohapatra
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Ulf, Thanks for the reply.

Actually we are trying to fight the POODLE issue. https://www.openssl.org/~bodo/ssl-poodle.pdf

So we are trying to check this info via a program while loading the website and if TLS is not enabled in the browser, we will show the user a popup to enable that and access again.
Basically we are trying to enforce the user to use TLS only.
 
Ulf Dittmer
Rancher
Posts: 43016
76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why aren't you simply turning off SSLv3 (and earlier versions, of course) at the server? That's what everybody else does.
 
badri mohapatra
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
you mean to say disable SSLv3 at webserver side? If we did, then should we also check it from browser side i.e. if user has enabled the SSL only not TLS in browser settings will he get any error?
 
Ulf Dittmer
Rancher
Posts: 43016
76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, if the server doesn't support SSL and the user has TLS support turned off in the browser, then a secure connection can not be established and teh user will get an error message to that effect.

I wouldn't be concerned about that - recent versions of browsers (Safari, Firefox, Chrome) don't even have a UI setting to turn off TLS. And even for browsers that do, which user is going to muck around with that? Seems a non-issue to me.
 
badri mohapatra
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Ulf,
Actually we are planning to do this in 2 phases,
1) Both SSL and TLS will be there at server side and we need to show a message to the user that to use TLS only in the browser.
2) After some time, we will only allow TLS from Server side.

So now the problem is in Phase 1 - to implement something in GWT to detect if the browser is enabled with TLS or not.

Thanks,
Badri
 
Ulf Dittmer
Rancher
Posts: 43016
76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

show a message to the user that to use TLS only in the browser


That step seems unnecessary, since SSL support in browsers is already being deprecated fast. Also, if your target audience isn't a technically sophisticated one, they will struggle to understand what that means, and how to change that setting.

Overall, this two-phase approach seems misguided. I don't see a big benefit of keeping SSL active on the server at this point, and the huge downside that you're opening yourself up for attack (which IMO overrides whatever benefits there may be).
 
A lot of people cry when they cut onions. The trick is not to form an emotional bond. This tiny ad told me:
Thread Boost feature
https://coderanch.com/t/674455/Thread-Boost-feature
    Bookmark Topic Watch Topic
  • New Topic