Hello, For now I increase validity to 3 months as there is a majority that agrees.
I guess in the future, Felix's proposal i better, but meanwhile, let's increase usability. Regards On Thu, Jul 19, 2018 at 8:11 PM, Felix Schumacher < felix.schumac...@internetallee.de> wrote: > Would the addition of such a message remove the need for a longer default > period? > > Or should we even let the user decide on generation how long it should be > valid? (with a short default like the seven days we currently have.) > > Felix > > > > Am 19.07.2018 um 15:06 schrieb Philippe Mouawad: > >> What ???? >> You didn't read the manual :-) ????? >> >> >> Just kidding :-) >> >> Thanks for your ideas >> >> On Thu, Jul 19, 2018 at 3:05 PM, Srijon Das <srijon...@gmail.com> wrote: >> >> I was not aware that it is a configuration. >>> >>> Usually I see a pop-up which mentions that certificate is valid for 7 >>> days. Maybe we could mention that changing the config proxy.cert.validity >>> will change the validity of the certificate. >>> >>> Sent from my iPhone >>> >>> On Jul 19, 2018, at 5:53 AM, Philippe Mouawad < >>>> >>> philippe.moua...@gmail.com> wrote: >>> >>>> Hello, >>>> See: >>>> http://jmeter.apache.org/usermanual/properties_ >>>> >>> reference.html#test_script_recorder_cert >>> >>>> The property is: >>>> proxy.cert.validity >>>> >>>> How would you like it improved ? >>>> >>>> Thanks >>>> >>>> On Thu, Jul 19, 2018 at 2:50 PM, Srijon Das <srijon...@gmail.com> >>>>> >>>> wrote: >>> >>>> As a longtime jmeter user, I would like the option to decide how long my >>>>> certificates will be valid, 1 week, 2 weeks, 3 weeks etc. And perhaps >>>>> a >>>>> warning describing the consequences of the security vulnerabilities. >>>>> >>>>> Most jmeter users, I feel will be in a position to judge the security >>>>> >>>> risk >>> >>>> themselves and use the certificate accordingly. >>>>> >>>>> Sent from my iPhone >>>>> >>>>> On Jul 19, 2018, at 4:06 AM, Milamber <milam...@apache.org> wrote: >>>>>> >>>>>> >>>>>> >>>>>> On 19/07/2018 11:03, Philippe Mouawad wrote: >>>>>>>> On Thu, Jul 19, 2018 at 11:56 AM, sebb <seb...@gmail.com> wrote: >>>>>>>> >>>>>>>> On 19 July 2018 at 10:34, Philippe Mouawad < >>>>>>>> >>>>>>> philippe.moua...@gmail.com >>> >>>> wrote: >>>>>>>> >>>>>>>>> On Thu, Jul 19, 2018 at 11:31 AM, sebb <seb...@gmail.com> wrote: >>>>>>>>>> >>>>>>>>>> On 19 July 2018 at 10:28, Philippe Mouawad < >>>>>>>>>> >>>>>>>>> philippe.moua...@gmail.com> >>>>> >>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Hello sebb, >>>>>>>>>>> >>>>>>>>>>> Yes users can change, but once again, it means adjusting >>>>>>>>>>> defaults, >>>>>>>>>>> >>>>>>>>>> knowing >>>>>>>>>> >>>>>>>>>>> they can be adjusted and which property it is. >>>>>>>>>>> >>>>>>>>>> That can be documented. >>>>>>>>>> >>>>>>>>>> Which means all users read the whole documentation, do you think >>>>>>>>> >>>>>>>> they >>> >>>> do >>>>> >>>>>> ? >>>>>>>> >>>>>>>>> I guess you know the famous RTFM :-) >>>>>>>>> >>>>>>>>> >>>>>>>>> Why not make defaults better for usability ? >>>>>>>>>>> >>>>>>>>>> Because it compromises security. >>>>>>>>>> >>>>>>>>>> Can you give more details ? >>>>>>>>> >>>>>>>> The point of a CA is to certify that a certificate chain is valid. >>>>>>>> Locally generated CA certs do not do this. >>>>>>>> Once the cert has been approved by the browser, it can be used to >>>>>>>> certify anything, including a spoof bank site etc. >>>>>>>> >>>>>>>> JMeter users may not understand that, and so may not take sufficient >>>>>>>> care of the certificate and its password. >>>>>>>> Or they may forget that the cert has been added to the browser. >>>>>>>> >>>>>>>> Even some official CAs have inadvertently exposed their certs. >>>>>>>> >>>>>>>> I don't think we should ship JMeter with deliberately weak settings. >>>>>>>> >>>>>>>> Yes it may be inconvenient, but it is deliberately done to minimise >>>>>>>> the effects of accidental certificate exposure. >>>>>>>> >>>>>>>> Users that understand the risks can override the setting, but that >>>>>>>> is >>>>>>>> at their own risk. >>>>>>>> >>>>>>>> Remember that once the browser has stored the CA, it will be active >>>>>>>> regardless of whether JMeter is actually being used. >>>>>>>> So the sooner it expires, the safer it is. >>>>>>>> Maybe a week is too *long*. >>>>>>>> >>>>>>>> I am aware of that, but it means attacker has accessed the machine >>>>>>> of >>>>>>> >>>>>> user >>>>> >>>>>> to get the CA. >>>>>>> So the JMeter side is only a consequence, not root cause >>>>>>> >>>>>> >>>>>> The risk is the same if the duration is 7 days or 3 months, because >>>>>> the >>>>>> >>>>> attacker need to have access to the private key of the temp JMeter CA >>>>> >>>> root >>> >>>> to generate some fake cert signed by the CA. This private key is on the >>>>> machine (keystore.jks) >>>>> >>>>>> And if an attacker have already an access to the machine, it's can add >>>>>> >>>>> directly another CA (not JMeter CA) into the certs vault on the >>>>> >>>> machine, to >>> >>>> made some malicious opérations... >>>>> >>>>>> 3 months seems good for me (this is the mean duration for my load test >>>>>> >>>>> missions) >>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> It looks like 3 months would be good for Bruno, Antonio, me. >>>>>>>>>>> Is it really a blocker for you ? if yes why ? >>>>>>>>>>> >>>>>>>>>> As above. >>>>>>>>>> >>>>>>>>>> @Others what's your opinion ? >>>>>>>>>>> >>>>>>>>>>> Thanks >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Thu, Jul 19, 2018 at 10:55 AM, sebb <seb...@gmail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>> It's a trade-off between convenience and security. >>>>>>>>>>>> >>>>>>>>>>>> It's risky adding the certificate to the browser. >>>>>>>>>>>> >>>>>>>>>>>> I don't think the default should be changed. >>>>>>>>>>>> >>>>>>>>>>>> Users can always change it themselves if they accept the risks. >>>>>>>>>>>> E.g. if they use a separate browser installation that has >>>>>>>>>>>> >>>>>>>>>>> certificate, >>>>>>>> >>>>>>>>> then a longer validity is more sensible. >>>>>>>>>>>> It's too easy to forget that the cert has been added to the >>>>>>>>>>>> >>>>>>>>>>> browser. >>>>> >>>>>> S. >>>>>>>>>>>> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues < >>>>>>>>>>>> >>>>>>>>>>> ra0...@gmail.com> >>>>> >>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> +1 for me >>>>>>>>>>>>> >>>>>>>>>>>>> Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad < >>>>>>>>>>>>> p.moua...@ubik-ingenierie.com> a écrit : >>>>>>>>>>>>> >>>>>>>>>>>>> Hello, >>>>>>>>>>>>>> Currently : >>>>>>>>>>>>>> >>>>>>>>>>>>>> - proxy.cert.validity=7 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> This is annoying for users who must remember to add the ROOT >>>>>>>>>>>>>> >>>>>>>>>>>>> JMeter >>>>>>>> >>>>>>>>> certificate to browser every week . >>>>>>>>>>>>>> >>>>>>>>>>>>>> I would suggest setting it to 1 year or at least 1 month. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Regards >>>>>>>>>>>>>> Philippe >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Cordialement. >>>>>>>>>>> Philippe Mouawad. >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> -- >>>>>>>>> Cordialement. >>>>>>>>> Philippe Mouawad. >>>>>>>>> >>>>>>>> >>>>>>> >>>> >>>> -- >>>> Cordialement. >>>> Philippe Mouawad. >>>> >>> >> >> > -- Cordialement. Philippe Mouawad.
