Midori & revoked certificates
Suvayu Ali
fatkasuvayu+linux at gmail.com
Mon Apr 14 18:16:27 UTC 2014
Hi Kevin,
On Mon, Apr 14, 2014 at 09:31:04AM -0600, Kevin Fenzi wrote:
> On Mon, 14 Apr 2014 08:50:33 +0200
> Suvayu Ali <fatkasuvayu+linux at gmail.com> wrote:
> >
> > I was reading about Heartbleed and the results of the cloudflare
> > challenge. The following post says, that particular server is using a
> > revoked certificate and my browser should not show the page if
> > certificate revocation is working properly.
> >
> > <https://www.cloudflarechallenge.com/heartbleed>
> >
> > Firefox with OCSP enabled shows me this message:
> >
> > Peer's Certificate has been revoked.
> > (Error code: sec_error_revoked_certificate)
> >
> > Midori however happily displays the page. A quick look tells me there
> > is no way to enable something like OCSP.
>
> Midori can use gcr, which might be able to do something here. Not sure.
>
> The only gcr available however is gtk3, so we can't use it in a gtk2
> midori. Once we move to webkit2 and gtk3 we can enable that...
>
> I can look and see if gcr can actually do this...
I was not aware of Gcr, looks interesting.
> > Can this be taken up with upstream? More importantly, I would like to
> > propose to drop midori from the spin until this is dealt with upstream
> > (even if it means larger XFCE images); after all we do not want a less
> > secure Fedora user.
> >
> > Any thoughts on this?
>
> I personally think thats way too drastic. Many other browsers out there
> don't handle revoked certs either.
That is true. I think Firefox is the only one that does it sensibly.
> Do you want to file an upstream bug on it? Or shall i?
>
> we should at least see where we are at...
It would be better if you could do it. I do not think I can follow up
with updates/comments reasonably quickly.
Cheers,
--
Suvayu
Open source is the future. It sets us free.
More information about the xfce
mailing list