Re: [dev] [surf]

From: Ali H. Fardan <>
Date: Thu, 13 Oct 2016 00:16:08 +0300

That's in the config, the user should be responsible for it.


On 2016-10-13 00:02, Alexander Keller wrote:
> I just took surf to to test how the TLS implementation in
> surf reacts. To test I took the default Arch Linux package for a ride.
> It failed the test. This is because by default:
> static Bool strictssl = FALSE;
> Without this set to TRUE, the browser effectively does not look at the
> certificate. I understand the reason for turning it off (the whole PKI,
> X.509, HSTS, CSP, HPKP, and now freaking preload lists methodology
> sucks
> and DANE can't come soon enough), but to me this doesn't feel like the
> right way to hand invalid certificates by default (if the person
> chooses
> to turn off certificate validation, power to them).
> Would it not make more sense to allow the user to add the certificate's
> identity to a file in ~/.surf/ much like OpenSSH does? You can show it
> to them and ask if it is correct, then add it if they accept. This way
> only that file and cafile need to be tested for certificate validity,
> thus keeping the complexity arguably low. Setting this as the default
> means users are not locked out of sites with (for example) self signed
> certificates while also giving them a heads up on MITM attacks.
Received on Wed Oct 12 2016 - 23:16:08 CEST

This archive was generated by hypermail 2.3.0 : Wed Oct 12 2016 - 23:24:11 CEST