On 19 July 2018 at 10:34, Philippe Mouawad <philippe.moua...@gmail.com> wrote: > On Thu, Jul 19, 2018 at 11:31 AM, sebb <seb...@gmail.com> wrote: > >> On 19 July 2018 at 10:28, Philippe Mouawad <philippe.moua...@gmail.com> >> wrote: >> > Hello sebb, >> > >> > Yes users can change, but once again, it means adjusting defaults, >> knowing >> > they can be adjusted and which property it is. >> >> That can be documented. >> > > Which means all users read the whole documentation, do you think they do ? > I guess you know the famous RTFM :-) > > >> > Why not make defaults better for usability ? >> >> Because it compromises security. >> > > Can you give more details ?
The point of a CA is to certify that a certificate chain is valid. Locally generated CA certs do not do this. Once the cert has been approved by the browser, it can be used to certify anything, including a spoof bank site etc. JMeter users may not understand that, and so may not take sufficient care of the certificate and its password. Or they may forget that the cert has been added to the browser. Even some official CAs have inadvertently exposed their certs. I don't think we should ship JMeter with deliberately weak settings. Yes it may be inconvenient, but it is deliberately done to minimise the effects of accidental certificate exposure. Users that understand the risks can override the setting, but that is at their own risk. Remember that once the browser has stored the CA, it will be active regardless of whether JMeter is actually being used. So the sooner it expires, the safer it is. Maybe a week is too *long*. > >> >> > It looks like 3 months would be good for Bruno, Antonio, me. >> > Is it really a blocker for you ? if yes why ? >> >> As above. >> >> > @Others what's your opinion ? >> > >> > Thanks >> > >> > >> > >> > On Thu, Jul 19, 2018 at 10:55 AM, sebb <seb...@gmail.com> wrote: >> > >> >> It's a trade-off between convenience and security. >> >> >> >> It's risky adding the certificate to the browser. >> >> >> >> I don't think the default should be changed. >> >> >> >> Users can always change it themselves if they accept the risks. >> >> E.g. if they use a separate browser installation that has certificate, >> >> then a longer validity is more sensible. >> >> It's too easy to forget that the cert has been added to the browser. >> >> >> >> S. >> >> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <ra0...@gmail.com> >> >> wrote: >> >> > +1 for me >> >> > >> >> > Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad < >> >> > p.moua...@ubik-ingenierie.com> a écrit : >> >> > >> >> >> Hello, >> >> >> Currently : >> >> >> >> >> >> - proxy.cert.validity=7 >> >> >> >> >> >> >> >> >> This is annoying for users who must remember to add the ROOT JMeter >> >> >> certificate to browser every week . >> >> >> >> >> >> I would suggest setting it to 1 year or at least 1 month. >> >> >> >> >> >> Regards >> >> >> Philippe >> >> >> >> >> >> > >> > >> > >> > -- >> > Cordialement. >> > Philippe Mouawad. >> > > > > -- > Cordialement. > Philippe Mouawad.
