[HTTPS-Everywhere] what does HTTPS-Everywhere consider a "valid" X.509 certificate? [was: Re: Custom rules]
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Oct 15 13:16:07 PDT 2010
On 10/15/2010 03:50 PM, Chris Palmer wrote:
>> <ruleset name="Reddit" match-cn="no" trusted="yes">
>
> This would allow any server with a valid, trusted-CA-issued certificate
> issued to any subject to authenticate as reddit.com. That is badder than the
> status quo.
while i disagree with the original proposal, i don't think the intention
was to have https-everywhere actually set certificate exceptions in the
browser.
I believe the OP wanted to have some config knobs the user could
twiddle: "use https-everywhere rules which may encourage visiting sites
with non-matching CNs" and "use https-everywhere rules that encourage
visiting sites whose certs do not validate with the stock default CAs"
if the cert doesn't validate (for however the user defines validation)
https-everywhere wouldn't somehow override that.
anyway, it's not a proposal i support, but it's not as bad as the
variant you describe, which would indeed be downright awful.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20101015/b8ac607f/attachment.sig>
More information about the HTTPS-everywhere
mailing list