Self Signed SSL Certificates should generate a warning
Bug #700020 reported by
Allen Lowe
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Midori Web Browser |
New
|
Undecided
|
Unassigned | ||
Bug Description
Details
Self-signed certificates should trigger a warning dialogue. Not necessarily the whole firefox 3.0 'This can't possibly be legit' warning, but something simple to let a user know that this certificate *may* be being used maliciously.
I picture something similar to the Firefox 2.0 self-signed certificate dialog.
Filing as 'Critical' as this is a security issue.
Revision history for this message
| Allen Lowe (lallenlowe) wrote | #1 |
Download full text (4.6 KiB)
| tags: | added: ssl |
To post a comment you must log in.
Comment by tomas (hakimio) - Monday, 10 November 2008, 19:26 GMT+1
There aren't many NORMAL sites using self signed certificates. Moreover, it's duplicated, there is a solution already and severity should be LOW.
Comment by Brian Vuyk (BrianV) - Monday, 10 November 2008, 19:30 GMT+1
I broke it up into two separate issues.
1. http://
2. This bug deals with the lack of a self-signed warning.
Self-signed certificates are occasionally used on sites. We shouldn't ignore them because they aren't used often. Also, when a client gets a site that looks like their bank login, and has a self-signed cert, they should know.
And as I stated in the other bug report, the presented solution isn't viable.
Comment by Thorsten Mühlfelder (thenktor) - Wednesday, 12 November 2008, 03:46 GMT+1
"Also, when a client gets a site that looks like their bank login, and has a self-signed cert, they should know."
Yes, this is the security problem.
Furthermore there are many private sites, that are using self signed certificates. For example, I'm using one on my dyndns.org homepage, too.
Comment by Christian Dywan (kalikiana) - Thursday, 09 April 2009, 22:27 GMT+1
Unfortunately I don't think Midori can currently do anything in that regard. I do agree it is somewhat important.
. (0 KiB)
Comment by Ess (ess) - Friday, 31 July 2009, 00:44 GMT+1
Provided that this change is made eventually, I'd like to take this opportunity to humbly request that such functionality be configurable. That is to say that I work at a web host and have to deal with over 9000 cpanel boxes a day, the great majority of which have self-signed certs for that interface, and thusly necessitates the ability to disable the self-signed check.
Comment by Daniel Michalik (argafal) - Saturday, 05 December 2009, 01:51 GMT+1
I second the request, it is an important issue that needs to be dealt with.
Comment by Yves-Alexis (corsac) - Tuesday, 12 January 2010, 16:23 GMT+1
Imho this is a more generic task, like “support SSL”. What is needed is the architecture to display and manage SSL certificates (clients and CA), as well as the display of SSL warnings.
And indeed, the implementation should be “wise” to be secure enough and not bother people too much (and yeah, I think it might be hard).
Comment by Christian Dywan (kalikiana) - Monday, 26 April 2010, 00:09 GMT+1
As a first step in the direction, Midori git now colours the address entry in yellow if a secure location has a verifiable, known certificate and it colours the entry in red if the certificate is not verifiable, including self-signed certificates. In addition, on the right side an 'authentication' or 'question' icon is shown; the icons are a makeshift until Midori ships proper icons, which I didn't look into yet.
If for any reason no certificate file is found, a warning is printed.
This feature requires WebKitGTK+1.1.14 and libSoup is 2.29.91. With older versions, Midori will continue to not verify at all.
Note: we can't show any details about certificates right now, unless someone is willing to look...