Michael Catanzaro wrote:
> The default for an invalid TLS certificate should be to fail, no
> exceptions, since we know that a user clicking Yes is almost always
> picking the wrong option.
Nonsense (and this is one of the reasons I hate Firefox). The right answer
for an "invalid" TLS certificate is almost always "Accept". Many sites
cannot or do not want to afford a "valid" certificate from the CA cartel,
and thus ship with self-signed certificates, or certificates by a non-cartel
CA such as CAcert which we also don't trust. In addition, expiry dates are
checked strictly (IMHO, they should be ignored entirely as they're just a
ploy by the cartel to get you to pay regularly for renewal, or given at
least a month of tolerance), so if the site forgot (or couldn't afford) to
renew it on time, there too, "invalid" certificate. The draconian approach
to TLS certificates only makes sites use unencrypted (and thus totally
insecure) HTTP instead, which is absolutely counterproductive.
Konqueror does what browsers have always done before this braindead Firefox
decision: It asks the user. And that's much better than default deny in this
case.
Kevin Kofler
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
