search

moxie0 / Convergence

An agile, distributed, and secure alternative to the Certificate Authority system.
http://convergence.io
621 stars 108 forks source link

Convergence ignores Security Exception #123

Closed ChristophGr closed 12 years ago

ChristophGr commented 12 years ago

I connected to the following site:

https://www.wowace.com

It gives a security exception because convergence for some reason receives the certificate from another site https://www.curseforge.com (same company).

www.wowace.com uses an invalid security certificate.

The certificate is only valid for the following names:
  *.curseforge.com , curseforge.com  

(Error code: ssl_error_bad_cert_domain)

However, when I add a security exception, I still cannot connect to that site. The only way I can is to turn off convergence :(

I looked in the preferences and there is a security exception for https://www.wowace.com:443 The Certificate Name however is *.curseforge.com

reissmann commented 12 years ago

When turning off convergence and connecting to that site I get redirected to http. Maybe the wrong-cert is related to the SNI issue (#28)?

IMHO ignoring security exceptions is a feature of convergence. There shouldn't be any reason for adding security exceptions when people are using SSL as intended. At the moment it's needed because of all the self-signed or CACert issues. With convergence those issues should be gone in the future.

ChristophGr commented 12 years ago

On the given site, HTTPS is used only for the login. Clicking the "sign in" link always redirects to https://www.wowace.com/home/login/?next=http%3A%2F%2Fwww.wowace.com%2F

28 sounds like a likely explanation.

However I have no way of logging in on the site while convergence is active.

IMHO ignoring security exceptions is a feature of convergence. There shouldn't be any reason for adding security exceptions when people are using SSL as intended. At the moment it's needed because of all the self-signed or CACert issues. With convergence those issues should be gone in the future.

I think that's not the only thing ppl are doing "wrong" when using SSL. There are also expired certificates or certificates not covering all subdomains. Some server administrators either don't care or are just plain incompetent.

Nevertheless I might be required to use their service (school, university, partner company, ...) So security exception should still be possible, but maybe maintained in a separate whitelist.

moxie0 commented 12 years ago

It's SNI, I'm closing this as a duplicate of #28.