views:

73

answers:

4

Hello,

How can you detect if the client browser has SSL support? I am not refering to the server Variables HTTPS_* . I want to be able to determine if the browser has no SSL support.

P.S. I know this is possible because this company (http://www.cyscape.com) has a product that can even detect when you unselect SSL support from your browser options.

A: 

All browsers have SSL support (period). No one is going to release a browser that cannot be used. HTTPS is a security requirement and apart of OWASP A3: Broken Authentication and Session Management.

Rook
Except of course crawlers and other types of bots may not have it :)
blowdart
A: 

While it is relatively easy to check if a server supports SSL connections, detecting browser support for the same is extremely difficult. The solution likely requires a client-side browser extension that implements the logic necessary to search through browser configuration or version information for SSL support. This problem becomes even more difficult, because the extension would need to work with multiple browsers.

If you do not visitors that cannot connect to a particular page over SSL, there are usually server-side methods you can employ, such as redirecting them to a landing page where they are notified of the SSL requirement, or you can simply deny their web request.

Chris Hutchinson
And as The Rook said, it is reasonable to assume that most browsers currently in use have SSL support. If they do not, there are certainly methods available for refusing access to a site, both server-side and client-side.
Chris Hutchinson
A: 

As mentioned, there's no reason a modern web browser will have SSL disabled by default.

At the SSL level, does your server receive a connection when you give the browser an https link?

At the HTTP level, you could try various scenarios that assign a session cookie via HTTP, then update some session variables via links only accessible via HTTPS. Or you could set the "secure" attribute on a cookie and see how the browser handles it.

You could try a JavaScript methodology and inspect the window.location property or just try setting it to an https link. (Or try some Java functions using LiveConnect or do something similar with Flash.)

Is there a particular motivation for the question? If you're trying to determine SSL support for browsers that for some bizarre reason don't have SSL enabled, then a cookie or JavaScript approach should be fine. If you're trying to determine SSL support for an adversarial browser (e.g. a bot that doesn't follow robots.txt) or you have more reason to not trust client-side checks like JavaScript, then checking SSL either might not be a useful solution or you might have to go deeper into seeing if the SSL handshake differs from common browsers.

Mike
A: 

Checks for whether or not a client supports SSL will be subject to Man-in-the-Middle attacks where an active network attacker gains control of the user's connection and makes it appear as if the client doesn't support SSL.

This question is most often asked when developing mobile sites targeted at older phones that may not support real SSL (they support WAP-TLS). The number of phones in this category continues to shrink and my suggestion is to ignore them, maybe even going so far as to blacklist their user agents.

Chris Clark