badssl.com icon indicating copy to clipboard operation
badssl.com copied to clipboard

Published 20 hours ago verified publisher icon chromium

Document password for client cert

Open lgarron opened this issue 6 years ago • 8 comments

@diracdeltas ran into this.

Per https://github.com/chromium/badssl.com/commit/578f7a2d83a1f1d5dbc8eee4c58a6ba6532b00ea#diff-c77ce27bee6905e8afa3b810dc48695c, the password is $DOMAIN (e.g. badssl.com in prod). We should probably document that at https://badssl.com/download/

cc @april

lgarron avatar Sep 25 '18 21:09 lgarron

It is, right there under Password.

screen shot 2018-09-25 at 5 31 59 pm

But it could probably stand to be a little clearer on the matter.

april avatar Sep 25 '18 22:09 april

Maybe make it bold? Or have a thing in the text underneath the box where it says that the password is badssl.com?

april avatar Sep 25 '18 22:09 april

Oh, wow. I did totally gloss over that. :-P

Box underneath sounds a little more noticeable to me. (Maybe also format as <code>?)

lgarron avatar Sep 25 '18 23:09 lgarron

Oops my bad! I totally missed that too

diracdeltas avatar Sep 26 '18 00:09 diracdeltas

#385 added bold+code formatting to the passwords. We might also want to add a note underneath, so leaving this open for now.

christhompson avatar Jun 07 '19 21:06 christhompson

I agree, this was not at all obvious. There are several ways the ergonomics could be improved:

  • Use the term "passphrase" somewhere noticeable.

  • Add a sentence at the bottom of the page, below the table, that says "This .pem file is passphrase-protected. The passphrase is: xxxxx"

  • Even better: Add a new entry to the table, containing a PEM file with no passphrase protection. This will not only solve this particular problem (because there will be two entries for PEM files in the table, and the reader will thus be forced to study the other columns to figure out what the difference is); this solution will also solve unrelated problems, such as "I want to use this client cert with the Python requests library, but requests works only with client certs whose private keys are unencrypted."

  • Use a passphrase that cannot possibly be mistaken for a domain name or any other non-passphrase-related information. For example: password; the-password; hunter2; correct horse battery staple.

Quuxplusone avatar Aug 08 '19 00:08 Quuxplusone

I just spent 20 mins looking in all the wrong places for this. Pretty annoying!

And great to see that there's a great solution to the problem here!

But then annoying that this solution was figured out a year ago, but it hasn't been put onto the badssl download page yet :-(

Please someone, make the change @quuxplusone proposed before another developer wastes a precious half hour.

SteveAlexander avatar Aug 11 '20 14:08 SteveAlexander

by the way, I think the reason it's so easy to miss the password in the table on the page, is that the password is "badssl.com".

The problem is, the text "badssl.com" appears on the page 6 times (7 if you include the browser's URL bar). So the mind has already been kind of trained to ignore this as redundant information — "I already know what 'badssl.com' stands for! It's the domain name! therefore it can't be anything else"

There's probably some technical term for this in cognitive psychology

SteveAlexander avatar Aug 11 '20 14:08 SteveAlexander