Comment by tomas (hakimio) - Monday, 10 November 2008, 19:26 GMT+1
There aren't many NORMAL sites using self signed certificates. Moreover, it's duplicated, there is a solution already and severity should be LOW.
  Comment by Brian Vuyk (BrianV) - Monday, 10 November 2008, 19:30 GMT+1
I broke it up into two separate issues.

1. http://www.twotoasts.de/bugs/index.php?do=details&task_id=35 deals with the https sites not being accessible via the address bar by default.
2. This bug deals with the lack of a self-signed warning.

Self-signed certificates are occasionally used on sites. We shouldn't ignore them because they aren't used often. Also, when a client gets a site that looks like their bank login, and has a self-signed cert, they should know.

And as I stated in the other bug report, the presented solution isn't viable.
  Comment by Thorsten Mühlfelder (thenktor) - Wednesday, 12 November 2008, 03:46 GMT+1
"Also, when a client gets a site that looks like their bank login, and has a self-signed cert, they should know."

Yes, this is the security problem.

Furthermore there are many private sites, that are using self signed certificates. For example, I'm using one on my dyndns.org homepage, too.
  Comment by Christian Dywan (kalikiana) - Thursday, 09 April 2009, 22:27 GMT+1
Unfortunately I don't think Midori can currently do anything in that regard. I do agree it is somewhat important.
     . (0 KiB) 
  Comment by Ess (ess) - Friday, 31 July 2009, 00:44 GMT+1
Provided that this change is made eventually, I'd like to take this opportunity to humbly request that such functionality be configurable. That is to say that I work at a web host and have to deal with over 9000 cpanel boxes a day, the great majority of which have self-signed certs for that interface, and thusly necessitates the ability to disable the self-signed check.
  Comment by Daniel Michalik (argafal) - Saturday, 05 December 2009, 01:51 GMT+1
I second the request, it is an important issue that needs to be dealt with.
  Comment by Yves-Alexis (corsac) - Tuesday, 12 January 2010, 16:23 GMT+1
Imho this is a more generic task, like “support SSL”. What is needed is the architecture to display and manage SSL certificates (clients and CA), as well as the display of SSL warnings.

And indeed, the implementation should be “wise” to be secure enough and not bother people too much (and yeah, I think it might be hard).
  Comment by Christian Dywan (kalikiana) - Monday, 26 April 2010, 00:09 GMT+1
As a first step in the direction, Midori git now colours the address entry in yellow if a secure location has a verifiable, known certificate and it colours the entry in red if the certificate is not verifiable, including self-signed certificates. In addition, on the right side an 'authentication' or 'question' icon is shown; the icons are a makeshift until Midori ships proper icons, which I didn't look into yet.
If for any reason no certificate file is found, a warning is printed.
This feature requires WebKitGTK+1.1.14 and libSoup is 2.29.91. With older versions, Midori will continue to not verify at all.

Note: we can't show any details about certificates right now, unless someone is willing to look into manually parsing certificate data. libSoup doesn't currently provide any details.
  Comment by kenneth (klhrevolution) - Friday, 03 September 2010, 19:15 GMT+1
I disagree. One of the many reasons I quit using firefox was due to them wanting to help police my web. How many indy startups need a browser giving a warning to a user ? Would a warning say come on in or would it tell the end-user beware... and would that end-user feel safe in the end result of this "warning" ? The answer is no and that would affect said business, startup, blog, etc..
  Comment by Thorsten Mühlfelder (thenktor) - Saturday, 04 September 2010, 14:10 GMT+1
kenneth: Yes, the way Firefox does it is annoying, but you should learn what the intention of SSL is and how it works. It is useless without notifiyng the user when a certificate is not trusted.
  Comment by Yves-Alexis (corsac) - Saturday, 04 September 2010, 14:24 GMT+1
Yeah, midori should display the warning the first time and alert the user, and then remember which certificate was used. It's important to warn the user if it changes, and maybe inform that it's a self signed one later, but no need to warn him everytime.
  Comment by Yves-Alexis (corsac) - Tuesday, 21 December 2010, 00:30 GMT+1
Not sure if it fits here or in another bug, but on certificate error the red url bar isn't really enough (especially since there's no available cert info right now). It should display an error, stops loading the site (and maybe provide a way to still load the site if the user really wants to).