By default accept self signed certificates

[ersi-dnd]

I have begun using Otter for my work, which entails logging in to my employer's intranet. The intranet uses a self-signed certificate. Every new tab I open on the intranet, it throws up the certificate error in Otter. And I need to open many tabs. Also, when I switch tabs, it throws up the certificate error.

There's a new browser called Fifth browser. The developer there has this idea: "Certificates will natively have SSH-like behavior: self-signed certs are fully trusted without warning, but if a certificate changes, all bells go off." To me this sounds like a right idea https://github.com/clbr/fifth/blob/master/DESIGN

Self-signed certificates are okay, but if the same domain suddenly feeds a different certificate, the browser should either throw up an error or offer acknowledgement/acceptance by the user. This would minimise the errors and make them more relevant.

[Emdek]

For now you can choose to ignore this type of error. Although additional code is needed to fully implement this behavior.

[queria]

I have basic impl for webkit backend as example, though i would appreciate some feedback (about using the settings for this or anything else which may not fit in your code-style or so). Thx in advance.

Also while going through the *NetworkManager code, i would go for small code-compaction run, as imho lot of the code should/could be in base NM class, and at most overriden with parent calls if useful. Though not sure how much the NM classes will need to differ for other possible backend(s).

[Emdek]

@queria, we had it more compacted in the past, but since NM will be used only by QtWebKit and our internal stuff then it makes more sense as is, although for sure it could be improved. ;-)

Do you have some gist or fork with initial patch? I can take a look when I'll have some free time (not earlier than Tuesday).

[queria]

Sure it's in https://github.com/queria/otter/commit/3c4c1bcf46f1085942e786aec4920cd41411fe4f

[Emdek]

@queria, thanks, this looks very promising, but definitely needs some code formatting cleanup. ;-) Also I'm considering dedicated storage for such stuff, probably something INI based.

[pmattern]

Automatically accepting self-signed or any other certificates except those signed by approved root certificates seems like a very bad idea to me. If I'm not mistaken man-in-the middle attacks would get pretty easy by simply exchanging a regular server certificate signed by a root certificate with a self-signed one.

Aside from this I think what Otter really needed is both an interactive method to ask whether or not an unknown certificate should be accepted and a method to import arbitrary root certificates.

[FZXizzbKv7jg]

Hi,

I get

ERR_CERT_AUTHORITY_INVALID

(self signed certificate).

How can I fix this?