Re: ca-certificates 2014.2.1 will remove several still valid CA certificates with weak keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/18/2014 05:44 PM, Reindl Harald wrote:

Am 18.11.2014 um 16:12 schrieb Michael Catanzaro:
On Tue, 2014-11-18 at 12:11 +0100, Florian Weimer wrote:
Firefox also builds a repository of intermediate certificates over
time
and uses them automatically to fill gaps in certificate chains for
completely unrelated sites.  This leads to somewhat non-predictable
behavior regarding the set of sites to which Firefox can connect
reliably.  This is difficult to emulate in one-shot command line
tools
such as wget which do not keep any local state by default.

And that's arguably the biggest problem of all. The goal is to reduce
certificate validation failures for users who have seen a particular
intermediate cert before, but the effect is that web developers get
false positives when testing whether their sites are set up properly or
not. This just makes things worse in the long run.

true - *but* anybody responsible for a https site should at leat once
per month run https://www.ssllabs.com/ssltest/ against it

https://victi.ms/ receives an “A+” rating, even though it lacks an intermediate certificate and connections from non-browser clients fail. You have to read the results carefully to discover that the site is misconfigured in a significant way.

--
Florian Weimer / Red Hat Product Security
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux