search

YF-GoogleCodeBackups / https-finder

Automatically exported from code.google.com/p/https-finder
0 stars 0 forks source link

not all sites have good SSL certs, but many are usable #13

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1. go to a site that serves both http://site/ and https://site/ but doesn't 
have a good or up to date certificate.

What is the expected output? What do you see instead?
Result: ignored by the finder

Expect: load the https://site/ anyway, cache it, compare it to the http://site/ 
page that's already in cache and if they are identical, present the usual 
choice message with a small certificate warning. (Firefox will present the full 
warning afterwards anyway).

Note: a bad certificate (expired or for a different site) is still better than 
plain text. Some sites don't pay for https anymore, but sometimes their hosting 
company does (hence the wrong site or expired certs.)

A bad certificate doesn't protect from MITM attacks, but does still protect 
from eavesdroppers or automated workplace loggers (which are 99% of the 
problems anyway). With the proper warning, we should be ok.

What version of the product are you using? On what operating system?
0.30 / linux

Please provide any additional information below.

Original issue reported on code.google.com by gschroedinger@gmail.com on 24 Mar 2011 at 10:54

GoogleCodeExporter commented 8 years ago 
I guess it would be possible to add an "Advanced" preference window where you 
can check/uncheck certificate errors that the extension will test for.  I am 
going to wait on this until some of the higher priority issues are resolved 
though (session enforcement of HTTPS especially).

Original comment by jacobsK...@gmail.com on 25 Mar 2011 at 8:39

GoogleCodeExporter commented 8 years ago 
Deciding not to take action on this issue at this time.  Focusing on usability 
and functionality improvements relating to valid SSL sites.  This could be 
revisited at a later date.

Original comment by jacobsK...@gmail.com on 9 Apr 2011 at 7:48

GoogleCodeExporter commented 8 years ago

Original comment by jacobsK...@gmail.com on 22 Nov 2011 at 8:03

GoogleCodeExporter commented 8 years ago 
An option to redirect to HTTPS even with certificate errors could be 
particularly valuable for people who use addons like Perspectives, which could 
independently verify certificates and override the errors.

Original comment by carl.ant...@gmail.com on 20 Dec 2012 at 3:40