Chris Thompson

Hi, new maintainer of the site here :-). Sorry for the delayed response. We'd be happy to take a pull request for this. The development of new tests has slowed...

What's the expected behavior on macOS? Testing in Safari on macOS 10.15.2, it looks like self-signed.badssl.com is still working as expected (bypassable). Adding EKU to these certs sounds good either...

Thanks! I'll add this to my list of updates to make.

I think that TLS 1.3 support will require OpenSSL 1.1.0 (along with switching to mainline nginx versions, rather than stable). Unfortunately, this removes a bunch of weak/obsolete cipher and protocol...

I'll look into regenerating these. In the meantime, https://self-signed.badssl.com and https://untrusted-root.badssl.com cover these cases generally. These specific bad roots are primarily for testing _specific_ blocklisting of these certificates/roots in user...

> For what it's worth, the intermediate certificate `COMODO SSL CA` will expire in less than 24h, it is used at least on the https://sha1-intermediate.badssl.com/ domain. > > [](https://www.howfast.tech/) sha1-intermediate.badssl.com...

If this is relatively straightforward to configure in nginx, then I'd be happy to take a PR adding a new subdomain for this (or a snippet of nginx configuration I...

Ah yeah if it requires the server misbehaving in a way that OpenSSL doesn't directly support, then it's likely that we can't do it on badssl.com as the overhead of...

I think scoping this to top-level navigations makes sense (and has kind of been how I've been thinking about this, although that may be partially due to Chrome's implementation here)....

> we end up with mixed content blocking in cases where the content would not have been mixed if not for the top-level upgrade I would consider this to be...