[HTTPS-Everywhere] what does HTTPS-Everywhere consider a "valid" X.509 certificate? [was: Re: Custom rules]
Mike Perry
mikeperry at fscked.org
Sat Oct 16 14:57:03 PDT 2010
Thus spake https-everywhere at lists.grepular.com (https-everywhere at lists.grepular.com):
> On 16/10/2010 21:25, Daniel Kahn Gillmor wrote:
> > Resolving the authentication first avoids these problems entirely.
>
> This is why I suggested it as a configuration option. By default, users
> would only have rules enabled which don't trigger certificate warnings.
> Users who know what they're doing and want to manually check
> certificates, or add root certificates or use addons like Perspectives
> could enable the rest of the rules too.
Yes. Again, we'd gladly accept patches to do this. The ideal behavior
would be to have valid_ca and matches_cn default to true if the
attributes were not present (so that existing rules don't have to be
modified).
Peter, Seth, and I all have no love for the SSL mafia (in fact we all
believe the CA model is almost entirely broken), and we'd be very glad
to provide ways for people to access sites that are authenticated via
some other means, be it manual verification or some other addon.
It just can't be the default (though we can do things like detect if
Perspectives is installed and then enable all rules automatically).
--
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20101016/c8e4f035/attachment.sig>
More information about the HTTPS-everywhere
mailing list