Re: [dev] [surf] badssl.com

From: Quentin Rameau <quinq_AT_fifth.space>
Date: Fri, 14 Oct 2016 13:08:57 +0200

Hi,

> It does, but it will still make the connection. I'd rather some
> dialog box, so that my session state won't be automatically passed
> along to an untrusted server. Not sure the most elegant way to do
> this - I suppose one could have a little dmenu prompt asking whether
> to continue the connection or cancel it.
I've implemented something like this in surf-webkit2, but I'm waiting on
another dmenu commit for it to be fully acceptable before pushing.

> > I've just been doing a bunch of digging in the TLS code under `void
> > loadstatuschange`. I was prompted because it listed my own domain as
> > untrusted. It turns out, if the website is cached and you visit a page
> > at https, the page will be marked untrusted. This is because `msg` will
> > have no certificate attached. I don't know if this behaviour is
> > intentional. You can test this with:
> > https://developer.gnome.org/gio/stable/gio-TLS-Overview.html
> >
> > Load the page, then close surf and open the page again. The first time
> > you visit it will be trusted, the second it will be untrusted. It will
> > load regardless of your `strictssl` setting. If it is untrusted the
> > first time, clear your cache in `~/.surf/cache/` then repeat the
> > experiment you should see it.
>
> Good find, thanks, I had been wondering why some sites showed
> untrusted seemingly erroneously.
This is something known and “fixed” by the above solution (in the sense
that this will be a user intended behaviour).

In any cas, thanks for the feedback, I hope I can push those changes in
the near future.
The surf organisation is in a modification phase, for the better I hope,
keep connected for future changes.
Received on Fri Oct 14 2016 - 13:08:57 CEST

This archive was generated by hypermail 2.3.0 : Fri Oct 14 2016 - 13:12:11 CEST