Get fingerprint of current page's SSL certific

2019-01-17 08:41发布

问题:

I'm attempting to write an extension which verifies the SHA1 fingerprint of a site's SSL certificate with a third party. However it doesn't seem to be possible to do this either through native JavaScript or Chrome's extension APIs.

I found this question which would seem to do what I want: How can I get the SSL Certificate info for the *current* page in a Firefox Extension

But unfortunately it is only applicable to Firefox. Is there any way to do this in a cross browser compatible way, or even just in Chrome?

回答1:

Not as of January 2014 (but there are bug reports on file).

Firefox

Firefox currently only has a way to provide certificate information passively, without any extension API to be able to block a connection that is deemed to have an inappropriate certificate. There's Mozilla Bug #644640 — "Implement extension point for extensions to influence trust decisions in PSM", which is tracking the ability to decline connections.

Chromium

Chrome, on the other hand, doesn't even let you examine the certificate in the first place; there's Chromium Issue #107793 — "Provide information about the TLS connections to extensions via the webRequest API", which appears to track both the ability to simply examine the certificates in the first place, and also to revoke trust, if needed.

(There's also an earlier Chromium Issue #49469 — "Feature request: Implement Extensions API for accessing information about HTTPS/SSL certificate for web page", but it would seem like Issue #107793 has taken over.)

The draft of Chromium API proposal as linked to Issue 107793 above (note that it's only a draft of the proposed interface, without an actual implementation so far):

  • https://sites.google.com/a/chromium.org/dev/developers/design-documents/extensions/proposed-changes/apis-under-development/webrequest-ssl-hooks