otter-browser icon indicating copy to clipboard operation
otter-browser copied to clipboard

Published 20 hours ago verified publisher icon OtterBrowser

By default accept self signed certificates

Open ersi-dnd opened this issue 10 years ago • 7 comments

I have begun using Otter for my work, which entails logging in to my employer's intranet. The intranet uses a self-signed certificate. Every new tab I open on the intranet, it throws up the certificate error in Otter. And I need to open many tabs. Also, when I switch tabs, it throws up the certificate error.

There's a new browser called Fifth browser. The developer there has this idea: "Certificates will natively have SSH-like behavior: self-signed certs are fully trusted without warning, but if a certificate changes, all bells go off." To me this sounds like a right idea https://github.com/clbr/fifth/blob/master/DESIGN

Self-signed certificates are okay, but if the same domain suddenly feeds a different certificate, the browser should either throw up an error or offer acknowledgement/acceptance by the user. This would minimise the errors and make them more relevant.

ersi-dnd avatar Nov 27 '14 19:11 ersi-dnd

For now you can choose to ignore this type of error. Although additional code is needed to fully implement this behavior.

Emdek avatar Dec 08 '14 19:12 Emdek

I have basic impl for webkit backend as example, though i would appreciate some feedback (about using the settings for this or anything else which may not fit in your code-style or so). Thx in advance.

Also while going through the *NetworkManager code, i would go for small code-compaction run, as imho lot of the code should/could be in base NM class, and at most overriden with parent calls if useful. Though not sure how much the NM classes will need to differ for other possible backend(s).

queria avatar Jan 30 '15 16:01 queria

@queria, we had it more compacted in the past, but since NM will be used only by QtWebKit and our internal stuff then it makes more sense as is, although for sure it could be improved. ;-)

Do you have some gist or fork with initial patch? I can take a look when I'll have some free time (not earlier than Tuesday).

Emdek avatar Feb 01 '15 11:02 Emdek

Sure it's in https://github.com/queria/otter/commit/3c4c1bcf46f1085942e786aec4920cd41411fe4f

queria avatar Feb 04 '15 10:02 queria

@queria, thanks, this looks very promising, but definitely needs some code formatting cleanup. ;-) Also I'm considering dedicated storage for such stuff, probably something INI based.

Emdek avatar Feb 04 '15 17:02 Emdek

Automatically accepting self-signed or any other certificates except those signed by approved root certificates seems like a very bad idea to me. If I'm not mistaken man-in-the middle attacks would get pretty easy by simply exchanging a regular server certificate signed by a root certificate with a self-signed one.

Aside from this I think what Otter really needed is both an interactive method to ask whether or not an unknown certificate should be accepted and a method to import arbitrary root certificates.

pmattern avatar Feb 09 '15 12:02 pmattern

Hi,

I get

ERR_CERT_AUTHORITY_INVALID

(self signed certificate).

How can I fix this?

FZXizzbKv7jg avatar Nov 17 '22 09:11 FZXizzbKv7jg