Re: [dev] [surf] badssl.com

From: Alexander Keller <contact_AT_nycroth.com>
Date: Thu, 13 Oct 2016 12:20:31 -0400

> surf is not _silently_ ignoring them. If the validation fails, `sslfailed` will be true and in the window title you can see a `…:U` for untrusted instead of `…:T` for trusted.

You're right. It does provide that feedback. My apologies. :)

I've just been doing a bunch of digging in the TLS code under `void
loadstatuschange`. I was prompted because it listed my own domain as
untrusted. It turns out, if the website is cached and you visit a page
at https, the page will be marked untrusted. This is because `msg` will
have no certificate attached. I don't know if this behaviour is
intentional. You can test this with:
https://developer.gnome.org/gio/stable/gio-TLS-Overview.html

Load the page, then close surf and open the page again. The first time
you visit it will be trusted, the second it will be untrusted. It will
load regardless of your `strictssl` setting. If it is untrusted the
first time, clear your cache in `~/.surf/cache/` then repeat the
experiment you should see it.
Received on Thu Oct 13 2016 - 18:20:31 CEST

This archive was generated by hypermail 2.3.0 : Thu Oct 13 2016 - 18:24:12 CEST