----- Original Message ----- > From: "Chris Palmer" <pal...@google.com> > To: "Hubert Kario" <hka...@redhat.com> > Cc: "David E. Ross" <nobody@nowhere.invalid>, > mozilla-dev-security-pol...@lists.mozilla.org > Sent: Tuesday, 22 July, 2014 1:08:57 AM > Subject: Re: Proposal: Switch generic icon to negative feedback for non-https > sites > > On Sun, Jul 20, 2014 at 3:23 AM, Hubert Kario <hka...@redhat.com> wrote: > > > and while we're at it, let's get rid of those warnings about self > > signed certificates -- they are less insecure than HTTP (Firefox actually > > uses certificate pinning for sites with previously waived cert problems!) > > so let's not treat them worse than HTTP connections > > I'm pretty sure Firefox merely remembers your decision to click > through the warning, not that it pins the keys/certificates in the > chain you clicked through on. > > Although I have proposed that for certain use-cases, its applicability > is limited — will people know how to recover if the key(s) change(s)?
No, I'm sure it remembers the certificate. I have setup a SNI-enabled server that returns one certificate for two different virtual hosts. When the certificate was about to expire, I changed it to a new one signed by a trusted CA, for the site for which the CN matched, the Firefox didn't even bat an eye, for the site for which I had to waive the mismatched CN in the past, I had to waive the certificate again. I can retests with self signed certificates, but I'd be very surprised if it didn't work exactly the same. -- Regards, Hubert Kario _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
