[Webkit-unassigned] [Bug 139292] New: Do not allow users to ignore SSL certificate warnings

Thu Dec 4 23:24:17 PST 2014

https://bugs.webkit.org/show_bug.cgi?id=139292

            Bug ID: 139292
           Summary: Do not allow users to ignore SSL certificate warnings
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: fn84b at outlook.com

I suggest Safari to always disallow users from ignoring certificate errors. Two reasons:

1. Lots of people ignore warnings when they face real MITM attacks, and not all websites are able to use HSTS.

2. I see there are no good reasons to ignore certificate errors. If the servers are misconfigured, they should get the certificate issue fixed, rather than telling users to ignore warnings. Also even if users know the servers are using invalid (e.g. self-signed) certificates, they have no way to determine if the presented certificates are real self-signed certificates or signed by MITM. Also they can import the self-signed certificates into the OS trust store, if they are testing their own websites or they have other ways to verify the certificates.

Also, IE 11 on Windows 10 Preview already prevents users from clicking through certificate errors (you can try it on RemoteIE https://remote.modern.ie).

See also: https://code.google.com/p/chromium/issues/detail?id=439352 (Chrome)
https://bugzilla.mozilla.org/show_bug.cgi?id=1107804 (Firefox)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141205/125fd480/attachment-0002.html>