Link to untrusted root CA from homepage

[davidben]

If testing against untrusted-root.badssl.com, it is natural to want the root. That's available now at https://badssl.com/certs/ca-untrusted-root.crt, but at a URL that is tedious to type on mobile. One also needs to know the URL exists.

[lgarron]

I would strongly prefer avoiding a link to the root from the home page, to avoid making it easy to (permanently) shoot yourself in the foot.

Some options I would be totally fine with:

• Short URLs like badssl.com/ur
• A link at the bottom of the front page for something like Root Import Test, linking to a page with contents like:

Hi, Tester!

Here's a root you can import: untrusted-root.crt

To test that it works, import and then visit: untrusted-root.badssl.com

[lgarron]

We could also consider a secondary index at qa.badssl.com if there is a general need for such tests.

[davidben]

That sounds reasonable. I think I would prefer links to magic URLs, even if short. Then you will forget which URLs are important and people who need them will forget where to go. That suggests perhaps a less QA-targeted page. This also isn't really an exclusively QA thing. One may wish to see whether browser UI is (or isn't) special when a locally-installed root is used.

[nicktimko]

Was about to file an issue for if there's a way to download the self-signed/root cert to do some testing for software that might use internally-trusted certificates. Adding a link to the cert, or a link to the page with links to them and some giant "don't put these on your computer" would be nice.

[lgarron]

Adding a link to the cert, or a link to the page with links to them and some giant "don't put these on your computer" would be nice.

Data for interstitial click-throughs suggests that people will ignore that, and perhaps forget they installed that CA. ;-)

There is a Test Suites section at the bottom of the front page now. We need that to link to a page for this.

[sylvainlaurent]

why not place the link in the page presented by https://untrusted-root.badssl.com/ ? that way, those who really want it can first bypass the security check, then access the page where they will find the root cert.

[lgarron]

why not place the link in the page presented by https://untrusted-root.badssl.com/ ?

At least 2 reasons:

1) Since the roots is downloaded in order to be trusted, it should be downloaded securely. 2) The main use case for the download is to provide a way to check that visiting https://untrusted-root.badssl.com/ with the downloaded root installed does not trigger an error page. Clicking through the error page first is likely to cause user/tester confusion, and may trigger browser bugs. (In some browsers, clicking through an error page is also not simple to undo.)

[raulsiles]

Definitely, I vote to add the link to the ca-untrusted-root.crt file at the bottom of the front-page, potentially on a different web page used for testing, linked via "Root Import Test" (as suggested above) or simply "Testing" (in case other testing links are added in the future). Right now you need to find this certificate through the GitHub issues.

Additionally, could the .crt file be included in the project repository, even if it is not linked from anywhere? The goal is to simplify the process to find it and use it when testing TLS related tools.

[redcatpaw]

Add it at badssl.com/download