As a longtime jmeter user, I would like the option to decide how long my certificates will be valid, 1 week, 2 weeks, 3 weeks etc. And perhaps a warning describing the consequences of the security vulnerabilities.
Most jmeter users, I feel will be in a position to judge the security risk themselves and use the certificate accordingly. Sent from my iPhone > On Jul 19, 2018, at 4:06 AM, Milamber <[email protected]> wrote: > > > >> On 19/07/2018 11:03, Philippe Mouawad wrote: >>> On Thu, Jul 19, 2018 at 11:56 AM, sebb <[email protected]> wrote: >>> >>> On 19 July 2018 at 10:34, Philippe Mouawad <[email protected]> >>> wrote: >>>> On Thu, Jul 19, 2018 at 11:31 AM, sebb <[email protected]> wrote: >>>> >>>>> On 19 July 2018 at 10:28, Philippe Mouawad <[email protected]> >>>>> wrote: >>>>>> Hello sebb, >>>>>> >>>>>> Yes users can change, but once again, it means adjusting defaults, >>>>> knowing >>>>>> they can be adjusted and which property it is. >>>>> That can be documented. >>>>> >>>> Which means all users read the whole documentation, do you think they do >>> ? >>>> I guess you know the famous RTFM :-) >>>> >>>> >>>>>> Why not make defaults better for usability ? >>>>> Because it compromises security. >>>>> >>>> Can you give more details ? >>> The point of a CA is to certify that a certificate chain is valid. >>> Locally generated CA certs do not do this. >>> Once the cert has been approved by the browser, it can be used to >>> certify anything, including a spoof bank site etc. >>> >>> JMeter users may not understand that, and so may not take sufficient >>> care of the certificate and its password. >>> Or they may forget that the cert has been added to the browser. >>> >>> Even some official CAs have inadvertently exposed their certs. >>> >>> I don't think we should ship JMeter with deliberately weak settings. >>> >>> Yes it may be inconvenient, but it is deliberately done to minimise >>> the effects of accidental certificate exposure. >>> >>> Users that understand the risks can override the setting, but that is >>> at their own risk. >>> >>> Remember that once the browser has stored the CA, it will be active >>> regardless of whether JMeter is actually being used. >>> So the sooner it expires, the safer it is. >>> Maybe a week is too *long*. >>> >> I am aware of that, but it means attacker has accessed the machine of user >> to get the CA. >> So the JMeter side is only a consequence, not root cause > > > The risk is the same if the duration is 7 days or 3 months, because the > attacker need to have access to the private key of the temp JMeter CA root to > generate some fake cert signed by the CA. This private key is on the machine > (keystore.jks) > And if an attacker have already an access to the machine, it's can add > directly another CA (not JMeter CA) into the certs vault on the machine, to > made some malicious opérations... > > 3 months seems good for me (this is the mean duration for my load test > missions) > > > > > >> >>>>>> It looks like 3 months would be good for Bruno, Antonio, me. >>>>>> Is it really a blocker for you ? if yes why ? >>>>> As above. >>>>> >>>>>> @Others what's your opinion ? >>>>>> >>>>>> Thanks >>>>>> >>>>>> >>>>>> >>>>>>> On Thu, Jul 19, 2018 at 10:55 AM, sebb <[email protected]> wrote: >>>>>>> >>>>>>> It's a trade-off between convenience and security. >>>>>>> >>>>>>> It's risky adding the certificate to the browser. >>>>>>> >>>>>>> I don't think the default should be changed. >>>>>>> >>>>>>> Users can always change it themselves if they accept the risks. >>>>>>> E.g. if they use a separate browser installation that has >>> certificate, >>>>>>> then a longer validity is more sensible. >>>>>>> It's too easy to forget that the cert has been added to the browser. >>>>>>> >>>>>>> S. >>>>>>> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <[email protected]> >>>>>>> wrote: >>>>>>>> +1 for me >>>>>>>> >>>>>>>> Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad < >>>>>>>> [email protected]> a écrit : >>>>>>>> >>>>>>>>> Hello, >>>>>>>>> Currently : >>>>>>>>> >>>>>>>>> - proxy.cert.validity=7 >>>>>>>>> >>>>>>>>> >>>>>>>>> This is annoying for users who must remember to add the ROOT >>> JMeter >>>>>>>>> certificate to browser every week . >>>>>>>>> >>>>>>>>> I would suggest setting it to 1 year or at least 1 month. >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> Philippe >>>>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Cordialement. >>>>>> Philippe Mouawad. >>>> >>>> >>>> -- >>>> Cordialement. >>>> Philippe Mouawad. >> >> >
