On Thu, Jul 19, 2018 at 11:56 AM, sebb <[email protected]> wrote: > On 19 July 2018 at 10:34, Philippe Mouawad <[email protected]> > wrote: > > On Thu, Jul 19, 2018 at 11:31 AM, sebb <[email protected]> wrote: > > > >> On 19 July 2018 at 10:28, Philippe Mouawad <[email protected]> > >> wrote: > >> > Hello sebb, > >> > > >> > Yes users can change, but once again, it means adjusting defaults, > >> knowing > >> > they can be adjusted and which property it is. > >> > >> That can be documented. > >> > > > > Which means all users read the whole documentation, do you think they do > ? > > I guess you know the famous RTFM :-) > > > > > >> > Why not make defaults better for usability ? > >> > >> Because it compromises security. > >> > > > > Can you give more details ? > > The point of a CA is to certify that a certificate chain is valid. > Locally generated CA certs do not do this. > Once the cert has been approved by the browser, it can be used to > certify anything, including a spoof bank site etc. > > JMeter users may not understand that, and so may not take sufficient > care of the certificate and its password. > Or they may forget that the cert has been added to the browser. > > Even some official CAs have inadvertently exposed their certs. > > I don't think we should ship JMeter with deliberately weak settings. > > Yes it may be inconvenient, but it is deliberately done to minimise > the effects of accidental certificate exposure. > > Users that understand the risks can override the setting, but that is > at their own risk. > > Remember that once the browser has stored the CA, it will be active > regardless of whether JMeter is actually being used. > So the sooner it expires, the safer it is. > Maybe a week is too *long*. >
I am aware of that, but it means attacker has accessed the machine of user to get the CA. So the JMeter side is only a consequence, not root cause > > > > >> > >> > It looks like 3 months would be good for Bruno, Antonio, me. > >> > Is it really a blocker for you ? if yes why ? > >> > >> As above. > >> > >> > @Others what's your opinion ? > >> > > >> > Thanks > >> > > >> > > >> > > >> > On Thu, Jul 19, 2018 at 10:55 AM, sebb <[email protected]> wrote: > >> > > >> >> It's a trade-off between convenience and security. > >> >> > >> >> It's risky adding the certificate to the browser. > >> >> > >> >> I don't think the default should be changed. > >> >> > >> >> Users can always change it themselves if they accept the risks. > >> >> E.g. if they use a separate browser installation that has > certificate, > >> >> then a longer validity is more sensible. > >> >> It's too easy to forget that the cert has been added to the browser. > >> >> > >> >> S. > >> >> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <[email protected]> > >> >> wrote: > >> >> > +1 for me > >> >> > > >> >> > Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad < > >> >> > [email protected]> a écrit : > >> >> > > >> >> >> Hello, > >> >> >> Currently : > >> >> >> > >> >> >> - proxy.cert.validity=7 > >> >> >> > >> >> >> > >> >> >> This is annoying for users who must remember to add the ROOT > JMeter > >> >> >> certificate to browser every week . > >> >> >> > >> >> >> I would suggest setting it to 1 year or at least 1 month. > >> >> >> > >> >> >> Regards > >> >> >> Philippe > >> >> >> > >> >> > >> > > >> > > >> > > >> > -- > >> > Cordialement. > >> > Philippe Mouawad. > >> > > > > > > > > -- > > Cordialement. > > Philippe Mouawad. > -- Cordialement. Philippe Mouawad.
