"Workstation" Product defaults to wide-open firewall
h.reindl at thelounge.net
Tue Dec 9 18:20:10 UTC 2014
Am 09.12.2014 um 19:13 schrieb Kevin Kofler:
> Michael Catanzaro wrote:
>> The default for an invalid TLS certificate should be to fail, no
>> exceptions, since we know that a user clicking Yes is almost always
>> picking the wrong option.
> Nonsense (and this is one of the reasons I hate Firefox). The right answer
> for an "invalid" TLS certificate is almost always "Accept".
i disagree here
* unconditional accept is wrong
* too easy accept is dangerous
* it is not hard to accept a self signed cert in FF
> Many sites
> cannot or do not want to afford a "valid" certificate from the CA cartel,
> and thus ship with self-signed certificates, or certificates by a non-cartel
> CA such as CAcert which we also don't trust. In addition, expiry dates are
> checked strictly (IMHO, they should be ignored entirely as they're just a
> ploy by the cartel to get you to pay regularly for renewal, or given at
> least a month of tolerance), so if the site forgot (or couldn't afford) to
> renew it on time, there too, "invalid" certificate. The draconian approach
> to TLS certificates only makes sites use unencrypted (and thus totally
> insecure) HTTP instead, which is absolutely counterproductive.
until DANE is widely deployed sadly not changing
that the CA idea is broken by design is not new...
> Konqueror does what browsers have always done before this braindead Firefox
> decision: It asks the user. And that's much better than default deny in this
* Firefox asks too
* it is not hard to accept a self signed cert
* BUT it is hard enough to defeat the "click OK somewhere" reflex
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: OpenPGP digital signature
More information about the devel