"Workstation" Product defaults to wide-open firewall

Kevin Kofler kevin.kofler at chello.at
Tue Dec 9 18:13:53 UTC 2014


Michael Catanzaro wrote:
> The default for an invalid TLS certificate should be to fail, no
> exceptions, since we know that a user clicking Yes is almost always
> picking the wrong option.

Nonsense (and this is one of the reasons I hate Firefox). The right answer 
for an "invalid" TLS certificate is almost always "Accept". Many sites 
cannot or do not want to afford a "valid" certificate from the CA cartel, 
and thus ship with self-signed certificates, or certificates by a non-cartel 
CA such as CAcert which we also don't trust. In addition, expiry dates are 
checked strictly (IMHO, they should be ignored entirely as they're just a 
ploy by the cartel to get you to pay regularly for renewal, or given at 
least a month of tolerance), so if the site forgot (or couldn't afford) to 
renew it on time, there too, "invalid" certificate. The draconian approach 
to TLS certificates only makes sites use unencrypted (and thus totally 
insecure) HTTP instead, which is absolutely counterproductive.

Konqueror does what browsers have always done before this braindead Firefox 
decision: It asks the user. And that's much better than default deny in this 
case.

        Kevin Kofler



More information about the devel mailing list