[Webkit-unassigned] [Bug 208192] [Curl] Add TLS debugging feature to log encryption keys
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Feb 26 03:21:34 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=208192
--- Comment #17 from Takashi Komori <Takashi.Komori at sony.com> ---
(In reply to Fujii Hironori from comment #16)
> How do Chrome and Firefox deal with the great security hole?
Other browsers don't seem to have a strong safety guard for this feature.
In other words just setting the environment variable makes browsers start recording encryption keys into local PC.
If the recorded keys is secure and not stolen, the feature itself is secure too.
But we shouldn't assume all systems which use WebKit are implemented right and secure.
So I think offering developers the disabling option is reasonable.
Also I'm concerning browsers don't have any explicit way to reset or remove recorded keys.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200226/bf276dd6/attachment.htm>
More information about the webkit-unassigned
mailing list