ca-certificates 2014.2.1 will remove several still valid CA certificates with weak keys
Florian Weimer
fweimer at redhat.com
Wed Nov 19 09:36:41 UTC 2014
On 11/18/2014 05:44 PM, Reindl Harald wrote:
>
> Am 18.11.2014 um 16:12 schrieb Michael Catanzaro:
>> On Tue, 2014-11-18 at 12:11 +0100, Florian Weimer wrote:
>>> Firefox also builds a repository of intermediate certificates over
>>> time
>>> and uses them automatically to fill gaps in certificate chains for
>>> completely unrelated sites. This leads to somewhat non-predictable
>>> behavior regarding the set of sites to which Firefox can connect
>>> reliably. This is difficult to emulate in one-shot command line
>>> tools
>>> such as wget which do not keep any local state by default.
>>
>> And that's arguably the biggest problem of all. The goal is to reduce
>> certificate validation failures for users who have seen a particular
>> intermediate cert before, but the effect is that web developers get
>> false positives when testing whether their sites are set up properly or
>> not. This just makes things worse in the long run.
>
> true - *but* anybody responsible for a https site should at leat once
> per month run https://www.ssllabs.com/ssltest/ against it
https://victi.ms/ receives an “A+” rating, even though it lacks an
intermediate certificate and connections from non-browser clients fail.
You have to read the results carefully to discover that the site is
misconfigured in a significant way.
--
Florian Weimer / Red Hat Product Security
More information about the devel
mailing list