Re: [dev] [surf] badssl.com

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Ali H. Fardan <raiz_AT_firemail.cc>
Date: Thu, 13 Oct 2016 00:16:08 +0300

That's in the config, the user should be responsible for it.

Raiz

On 2016-10-13 00:02, Alexander Keller wrote:
> I just took surf to badssl.com to test how the TLS implementation in
> surf reacts. To test I took the default Arch Linux package for a ride.
> It failed the test. This is because by default:
> static Bool strictssl = FALSE;
>
> Without this set to TRUE, the browser effectively does not look at the
> certificate. I understand the reason for turning it off (the whole PKI,
> X.509, HSTS, CSP, HPKP, and now freaking preload lists methodology
> sucks
> and DANE can't come soon enough), but to me this doesn't feel like the
> right way to hand invalid certificates by default (if the person
> chooses
> to turn off certificate validation, power to them).
>
> Would it not make more sense to allow the user to add the certificate's
> identity to a file in ~/.surf/ much like OpenSSH does? You can show it
> to them and ask if it is correct, then add it if they accept. This way
> only that file and cafile need to be tested for certificate validity,
> thus keeping the complexity arguably low. Setting this as the default
> means users are not locked out of sites with (for example) self signed
> certificates while also giving them a heads up on MITM attacks.
Received on Wed Oct 12 2016 - 23:16:08 CEST

This archive was generated by hypermail 2.3.0 : Wed Oct 12 2016 - 23:24:11 CEST