Closed
Bug 725986
Opened 12 years ago
Closed 8 years ago
Implement UI to deal with missing fresh revocation information (override if neither OCSP nor CRL)
Categories
(Core Graveyard :: Security: UI, defect)
Core Graveyard
Security: UI
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: KaiE, Unassigned)
References
(Depends on 1 open bug)
Details
Implement UI to deal with missing fresh revocation information (override if neither OCSP nor CRL) If neither fresh OCSP information nor fresh CRL information is available when visiting a secure site, and when strict revocation checking is enabled, the user's connection attempt will be blocked - which is a particularly bad user experience at captive portals. This UI should make use of captive portal detection. In general, missing OCSP/CRL should be treated by giving strong security warnings, and users should be allowed to "connect anyway", but in general we should strongly discourage them from connecting anyway (similar as today's bad certificate error page). However, whenever a captive portal is detected, the UI might be slightly less discouraging, together with a good explanation, and asking the user to verify that "being at a captive portal is really expected". Any such overrides added while being at the captive portal (not yet paid) should automatically be removed immediately after the captive portal switches to open (now paid).
This isn't something we can do right now. If the problems with servers stapling expired OCSP responses have taught us anything, it's that this would break the web for too many people.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Assignee | ||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•