[HTTPS-Everywhere] what does HTTPS-Everywhere consider a "valid" X.509 certificate? [was: Re: Custom rules]
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Oct 15 08:12:56 PDT 2010
On 10/15/2010 05:13 AM, https-everywhere at lists.grepular.com wrote:
> Is there a policy on "invalid" certificates for this add-on? For
> example, what about websites that have certificates from cacert.org?
> Their root isn't installed in any of the major browsers yet... Does that
> mean they shouldn't be included? Self signed certs? Certs where the CN
> doesn't match?
This question has been asked a few times, and the answers i've seen so
far have been that https-everywhere prefers to avoid redirecting to
sites that cause security exceptions.
While i can understand the sentiment behind this goal, it's a bit
problematic, because:
(a) not every browser ships the same default "trusted" root certificate
authorities, and
(b) users have legitimate reasons to want to modify the list of trusted
roots themselves (e.g. adding authorities they are comfortable with, or
disabling authorities they do not actually trust)
FWIW, even self-signed certs and certs where the CN doesn't match are
acceptable in many reasonable contexts, like browser plugins that let
the user take a TOFU (trust on first use) approach (e.g. Perspectives or
Certificate Patrol) or that validate the raw key material out-of-band
via other mechanisms (e.g. Monkeysphere).
If https-everywhere is going to pick only sites with "valid"
certificates, the https authors at some level will need to decide which
CAs are themselves "valid".
An obvious choice (since this is a firefox extension) is to just punt on
the larger political implications of deciding on a canonical "trusted
authority" list, and accept only sites whose certificates are currently
verifiable by the latest version of firefox's default "trusted" root CA
list.
However, sites change certificates (and keys) over time, and firefox's
own default "trusted" root CA list changes over time too. So this is
something of a moving target.
And to make matters a bit stickier, some websites covered by the current
ruleset do *not* validate via Firefox's default "trusted" root CA list,
but the admins of the sites want them listed anyway. Is that acceptable?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20101015/979a55df/attachment.sig>
More information about the HTTPS-everywhere
mailing list