Re: [TLS] SSL Logout possibility in Javascript

Henry Story <> Wed, 27 July 2011 16:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C27B221F877D for <>; Wed, 27 Jul 2011 09:15:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.154
X-Spam-Status: No, score=-3.154 tagged_above=-999 required=5 tests=[AWL=-0.156, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_66=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SA5pScQRyfJQ for <>; Wed, 27 Jul 2011 09:15:41 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 0ADA721F84BF for <>; Wed, 27 Jul 2011 09:15:25 -0700 (PDT)
Received: by wyj26 with SMTP id 26so1078477wyj.31 for <>; Wed, 27 Jul 2011 09:15:13 -0700 (PDT)
Received: by with SMTP id r60mr4877wei.13.1311783312014; Wed, 27 Jul 2011 09:15:12 -0700 (PDT)
Received: from bblfish.home ( []) by with ESMTPS id l68sm23869weq.10.2011. (version=TLSv1/SSLv3 cipher=OTHER); Wed, 27 Jul 2011 09:15:10 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1244.3)
Content-Type: multipart/alternative; boundary="Apple-Mail=_E1CBF6AD-EADA-483D-9071-57EC6285E4C4"
From: Henry Story <>
In-Reply-To: <>
Date: Wed, 27 Jul 2011 18:15:08 +0200
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <>
To: " XG" <>,,
X-Mailer: Apple Mail (2.1244.3)
Subject: Re: [TLS] SSL Logout possibility in Javascript
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Jul 2011 16:15:42 -0000

I have just played around with the javascript login/logout possibilities mentioned by Anders Rundgren. The javascript I am using is that the end. Note that I am using xhtml currently, so that may have its own side effects - i.e., perhaps things work better in plain html... I am trying to see if login also works with javascript. That would be very useful, because people can easily click on the cancel button of a certificate, and the browser then remembers that decision. So I am looking to see if one can then force a login again...

Here are some temporary conclusions with browsers I tried on OSX

Firefox 5.0.1

 - logout works
 - login works if clicking the cancel button. One has to go to a new web page though.

Safari 5.1

  - logout does not work with javascript
   (but Safari does recognise TLS error codes sent, so that those can be used to logout - I have not tested this version though)

Chrome 13.0.782.99

  - logout does not work and neither does login

Opera 11.50
  - login, logout: does not recognise the window.crypto object

So that is good news. I guess that means we have Internet Explorer and Firefox we can easily 
logout with. Being able to log-in again as with Firefox in case a mistake is made is also very helpful.
Are there some other tricks one can use perhaps?

//this is for xhtml
//these functions are described here
<script language="JavaScript" type="text/javascript">
     function logout() {
     if (document.all == null) // FF, Opera, etc
           alert('logout in ff,opera...')
           if (window.crypto) window.crypto.logout();
           else alert('no window.crypto')
      else // MSIE 6+
           alert('logout in msie') 
     function login() {
     if (document.all == null) // FF, Opera, etc
           alert('login in ff,opera...')
           if (window.crypto) window.crypto.logout();
            else alert('no window.crypto')
      else // MSIE 6+
           alert('login in msie') 

Social Web Architect