Spitting out dev console warnings is certainly a step forward. I'm not sure
how the new dev console and Firebug interact, but I assume these added
warnings would also show up in Firebug.
Another idea, also only visible to those poking about -- what about adding
additional text to the box that pops up when you click the lock? Chrome
does this for sites not implementing Certificate Transparency, for instance
("...but does not have public audit records.")
It'd also be nice if Mozilla joined Google in finding a way to surface an
indicator to more than those poking about.
-- Eric
On Wed, Sep 17, 2014 at 1:55 PM, Kathleen Wilson <[email protected]>
wrote:
> On 9/6/14, 8:38 AM, Kosuke Kaizuka wrote:
>
>> On Sat, 06 Sep 2014 16:34:06 +0200, Sjw wrote:
>>
>>> Hi everyone
>>>
>>> At present, there are a lot of articles, that the weak SHA1 certificates
>>> with a long duration will be marked as weak/insecure in some browsers
>>> soon and in a few years they won't be accepted anymore.
>>> Does Mozilla have similar plans? Sadly I can't found a similar option in
>>> current Nightly.
>>>
>>
>> Please see Bug 942515.
>>
>> https://bugzilla.mozilla.org/show_bug.cgi?id=942515
>>
>>
> Also see: https://wiki.mozilla.org/CA:Problematic_Practices#SHA-1_
> Certificates
>
>
> Here's a proposal regarding indicators about SHA1 certificates...
>
> 1) Mozilla could (relatively quickly) add a security warning to the Web
> Console to warn about SHA-1 certificates that expire after January 1, 2017.
> The target audience of this indicator is web developers and web site
> administrators inspecting their pages.
>
> https://developer.mozilla.org/en-US/docs/Tools/Web_Console#
> Security_warnings_and_errors
>
> 2) After January 1, 2017, Firefox would show the "Untrusted Connection"
> error whenever a SHA-1 certificate is encountered.** Note that the
> "Untrusted Connection" error is overrideable.
>
> 3) Based on telemetry, at some point after January 1, 2017, move the SHA-1
> error to not-overrideable.** Note that it could remain overrideable for
> self-signed certs.
>
> ** Of course, Mozilla would take this action earlier if needed to keep
> users safe.
>
>
> Does that sound reasonable?
>
> Kathleen
>
>
> _______________________________________________
> dev-security-policy mailing list
> [email protected]
> https://lists.mozilla.org/listinfo/dev-security-policy
>
--
konklone.com | @konklone <https://twitter.com/konklone>
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
