"Workstation" Product defaults to wide-open firewall

Reindl Harald h.reindl at thelounge.net
Tue Dec 9 18:20:10 UTC 2014

Am 09.12.2014 um 19:13 schrieb Kevin Kofler:
> Michael Catanzaro wrote:
>> The default for an invalid TLS certificate should be to fail, no
>> exceptions, since we know that a user clicking Yes is almost always
>> picking the wrong option.
> Nonsense (and this is one of the reasons I hate Firefox). The right answer
> for an "invalid" TLS certificate is almost always "Accept".

i disagree here

* unconditional accept is wrong
* too easy accept is dangerous
* it is not hard to accept a self signed cert in FF

> Many sites
> cannot or do not want to afford a "valid" certificate from the CA cartel,
> and thus ship with self-signed certificates, or certificates by a non-cartel
> CA such as CAcert which we also don't trust. In addition, expiry dates are
> checked strictly (IMHO, they should be ignored entirely as they're just a
> ploy by the cartel to get you to pay regularly for renewal, or given at
> least a month of tolerance), so if the site forgot (or couldn't afford) to
> renew it on time, there too, "invalid" certificate. The draconian approach
> to TLS certificates only makes sites use unencrypted (and thus totally
> insecure) HTTP instead, which is absolutely counterproductive.

until DANE is widely deployed sadly not changing
that the CA idea is broken by design is not new...

> Konqueror does what browsers have always done before this braindead Firefox
> decision: It asks the user. And that's much better than default deny in this
> case.

* Firefox asks too
* it is not hard to accept a self signed cert
* BUT it is hard enough to defeat the "click OK somewhere" reflex

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141209/b65efbb9/attachment.sig>

More information about the devel mailing list