Closed
Bug 1012879
Opened 10 years ago
Closed 8 years ago
only allow certificate overrides if the user can provide a matching out-of-band certificate fingerprint
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: keeler, Unassigned)
References
Details
Instead of allowing insecure certificate overrides through a series of clicks, we should protect users by ensuring they're seeing the expected certificate by having them provide a certificate fingerprint they received from a (hopefully secure) out-of-band source.
Comment 2•9 years ago
|
||
@Cykesiopka : thanks for finding the duplicate, despite the time I spent searching for it I couldn't find it myself. I would like add to keeler's idea: Verifying certificates with a fingerprint can be seen as a simple and secure way to authenticate a remote server. I think it could even become a "normal" way to authenticate servers when CAs certificates cannot be used easily. The most important use case of this approach is that this would enable more widespread use of self-signed certificates in embedded applications: such as securing the connection to appliances, routers, etc. The manufacturer could print on the same label where it prints the MAC address the SSL certificate fingerprint.
Reporter | ||
Comment 3•8 years ago
|
||
This would really be nice, but I doubt we'll ever ship it in Firefox. Might work as an add-on, though.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•