Quoth Alexander Keller:
> > surf is not _silently_ ignoring them. If the validation fails, `sslfailed`
> > will be true and in the window title you can see a `…:U` for untrusted
> > instead of `…:T` for trusted.
> You're right. It does provide that feedback. My apologies. :)
It does, but it will still make the connection. I'd rather some
dialog box, so that my session state won't be automatically passed
along to an untrusted server. Not sure the most elegant way to do
this - I suppose one could have a little dmenu prompt asking whether
to continue the connection or cancel it.
> I've just been doing a bunch of digging in the TLS code under `void
> loadstatuschange`. I was prompted because it listed my own domain as
> untrusted. It turns out, if the website is cached and you visit a page
> at https, the page will be marked untrusted. This is because `msg` will
> have no certificate attached. I don't know if this behaviour is
> intentional. You can test this with:
> Load the page, then close surf and open the page again. The first time
> you visit it will be trusted, the second it will be untrusted. It will
> load regardless of your `strictssl` setting. If it is untrusted the
> first time, clear your cache in `~/.surf/cache/` then repeat the
> experiment you should see it.
Good find, thanks, I had been wondering why some sites showed
untrusted seemingly erroneously.