On 19 July 2018 at 12:06, Milamber <[email protected]> wrote: > > > On 19/07/2018 11:03, Philippe Mouawad wrote: >> >> On Thu, Jul 19, 2018 at 11:56 AM, sebb <[email protected]> wrote: >> >>> On 19 July 2018 at 10:34, Philippe Mouawad <[email protected]> >>> wrote: >>>> >>>> On Thu, Jul 19, 2018 at 11:31 AM, sebb <[email protected]> wrote: >>>> >>>>> On 19 July 2018 at 10:28, Philippe Mouawad <[email protected]> >>>>> wrote: >>>>>> >>>>>> Hello sebb, >>>>>> >>>>>> Yes users can change, but once again, it means adjusting defaults, >>>>> >>>>> knowing >>>>>> >>>>>> they can be adjusted and which property it is. >>>>> >>>>> That can be documented. >>>>> >>>> Which means all users read the whole documentation, do you think they do >>> >>> ? >>>> >>>> I guess you know the famous RTFM :-) >>>> >>>> >>>>>> Why not make defaults better for usability ? >>>>> >>>>> Because it compromises security. >>>>> >>>> Can you give more details ? >>> >>> The point of a CA is to certify that a certificate chain is valid. >>> Locally generated CA certs do not do this. >>> Once the cert has been approved by the browser, it can be used to >>> certify anything, including a spoof bank site etc. >>> >>> JMeter users may not understand that, and so may not take sufficient >>> care of the certificate and its password. >>> Or they may forget that the cert has been added to the browser. >>> >>> Even some official CAs have inadvertently exposed their certs. >>> >>> I don't think we should ship JMeter with deliberately weak settings. >>> >>> Yes it may be inconvenient, but it is deliberately done to minimise >>> the effects of accidental certificate exposure. >>> >>> Users that understand the risks can override the setting, but that is >>> at their own risk. >>> >>> Remember that once the browser has stored the CA, it will be active >>> regardless of whether JMeter is actually being used. >>> So the sooner it expires, the safer it is. >>> Maybe a week is too *long*. >>> >> I am aware of that, but it means attacker has accessed the machine of user >> to get the CA. >> So the JMeter side is only a consequence, not root cause > > > > The risk is the same if the duration is 7 days or 3 months, because the > attacker need to have access to the private key of the temp JMeter CA root > to generate some fake cert signed by the CA. This private key is on the > machine (keystore.jks) > And if an attacker have already an access to the machine, it's can add > directly another CA (not JMeter CA) into the certs vault on the machine, to > made some malicious opérations...
It is quite a bit harder to update the browser cert vault than it is to grab a file or two from the JMeter home directory. That can be done by a malicious JMX file. Since it looks like we will not get consensus I suggest we ask the security@ mailing list what is the best approach here. > 3 months seems good for me (this is the mean duration for my load test > missions) > > > > > > >> >>>>>> It looks like 3 months would be good for Bruno, Antonio, me. >>>>>> Is it really a blocker for you ? if yes why ? >>>>> >>>>> As above. >>>>> >>>>>> @Others what's your opinion ? >>>>>> >>>>>> Thanks >>>>>> >>>>>> >>>>>> >>>>>> On Thu, Jul 19, 2018 at 10:55 AM, sebb <[email protected]> wrote: >>>>>> >>>>>>> It's a trade-off between convenience and security. >>>>>>> >>>>>>> It's risky adding the certificate to the browser. >>>>>>> >>>>>>> I don't think the default should be changed. >>>>>>> >>>>>>> Users can always change it themselves if they accept the risks. >>>>>>> E.g. if they use a separate browser installation that has >>> >>> certificate, >>>>>>> >>>>>>> then a longer validity is more sensible. >>>>>>> It's too easy to forget that the cert has been added to the browser. >>>>>>> >>>>>>> S. >>>>>>> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <[email protected]> >>>>>>> wrote: >>>>>>>> >>>>>>>> +1 for me >>>>>>>> >>>>>>>> Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad < >>>>>>>> [email protected]> a écrit : >>>>>>>> >>>>>>>>> Hello, >>>>>>>>> Currently : >>>>>>>>> >>>>>>>>> - proxy.cert.validity=7 >>>>>>>>> >>>>>>>>> >>>>>>>>> This is annoying for users who must remember to add the ROOT >>> >>> JMeter >>>>>>>>> >>>>>>>>> certificate to browser every week . >>>>>>>>> >>>>>>>>> I would suggest setting it to 1 year or at least 1 month. >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> Philippe >>>>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Cordialement. >>>>>> Philippe Mouawad. >>>> >>>> >>>> >>>> -- >>>> Cordialement. >>>> Philippe Mouawad. >> >> >> >
