Hello, Can you please do that ? Thank you
On Thu, Jul 19, 2018 at 4:25 PM, sebb <[email protected]> wrote: > On 19 July 2018 at 12:06, Milamber <[email protected]> wrote: > > > > > > On 19/07/2018 11:03, Philippe Mouawad wrote: > >> > >> On Thu, Jul 19, 2018 at 11:56 AM, sebb <[email protected]> wrote: > >> > >>> On 19 July 2018 at 10:34, Philippe Mouawad <[email protected] > > > >>> wrote: > >>>> > >>>> On Thu, Jul 19, 2018 at 11:31 AM, sebb <[email protected]> wrote: > >>>> > >>>>> On 19 July 2018 at 10:28, Philippe Mouawad < > [email protected]> > >>>>> wrote: > >>>>>> > >>>>>> Hello sebb, > >>>>>> > >>>>>> Yes users can change, but once again, it means adjusting defaults, > >>>>> > >>>>> knowing > >>>>>> > >>>>>> they can be adjusted and which property it is. > >>>>> > >>>>> That can be documented. > >>>>> > >>>> Which means all users read the whole documentation, do you think they > do > >>> > >>> ? > >>>> > >>>> I guess you know the famous RTFM :-) > >>>> > >>>> > >>>>>> Why not make defaults better for usability ? > >>>>> > >>>>> Because it compromises security. > >>>>> > >>>> Can you give more details ? > >>> > >>> The point of a CA is to certify that a certificate chain is valid. > >>> Locally generated CA certs do not do this. > >>> Once the cert has been approved by the browser, it can be used to > >>> certify anything, including a spoof bank site etc. > >>> > >>> JMeter users may not understand that, and so may not take sufficient > >>> care of the certificate and its password. > >>> Or they may forget that the cert has been added to the browser. > >>> > >>> Even some official CAs have inadvertently exposed their certs. > >>> > >>> I don't think we should ship JMeter with deliberately weak settings. > >>> > >>> Yes it may be inconvenient, but it is deliberately done to minimise > >>> the effects of accidental certificate exposure. > >>> > >>> Users that understand the risks can override the setting, but that is > >>> at their own risk. > >>> > >>> Remember that once the browser has stored the CA, it will be active > >>> regardless of whether JMeter is actually being used. > >>> So the sooner it expires, the safer it is. > >>> Maybe a week is too *long*. > >>> > >> I am aware of that, but it means attacker has accessed the machine of > user > >> to get the CA. > >> So the JMeter side is only a consequence, not root cause > > > > > > > > The risk is the same if the duration is 7 days or 3 months, because the > > attacker need to have access to the private key of the temp JMeter CA > root > > to generate some fake cert signed by the CA. This private key is on the > > machine (keystore.jks) > > And if an attacker have already an access to the machine, it's can add > > directly another CA (not JMeter CA) into the certs vault on the machine, > to > > made some malicious opérations... > > It is quite a bit harder to update the browser cert vault than it is > to grab a file or two from the JMeter home directory. > That can be done by a malicious JMX file. > > Since it looks like we will not get consensus I suggest we ask the > security@ mailing list what is the best approach here. > > > 3 months seems good for me (this is the mean duration for my load test > > missions) > > > > > > > > > > > > > >> > >>>>>> It looks like 3 months would be good for Bruno, Antonio, me. > >>>>>> Is it really a blocker for you ? if yes why ? > >>>>> > >>>>> As above. > >>>>> > >>>>>> @Others what's your opinion ? > >>>>>> > >>>>>> Thanks > >>>>>> > >>>>>> > >>>>>> > >>>>>> On Thu, Jul 19, 2018 at 10:55 AM, sebb <[email protected]> wrote: > >>>>>> > >>>>>>> It's a trade-off between convenience and security. > >>>>>>> > >>>>>>> It's risky adding the certificate to the browser. > >>>>>>> > >>>>>>> I don't think the default should be changed. > >>>>>>> > >>>>>>> Users can always change it themselves if they accept the risks. > >>>>>>> E.g. if they use a separate browser installation that has > >>> > >>> certificate, > >>>>>>> > >>>>>>> then a longer validity is more sensible. > >>>>>>> It's too easy to forget that the cert has been added to the > browser. > >>>>>>> > >>>>>>> S. > >>>>>>> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues < > [email protected]> > >>>>>>> wrote: > >>>>>>>> > >>>>>>>> +1 for me > >>>>>>>> > >>>>>>>> Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad < > >>>>>>>> [email protected]> a écrit : > >>>>>>>> > >>>>>>>>> Hello, > >>>>>>>>> Currently : > >>>>>>>>> > >>>>>>>>> - proxy.cert.validity=7 > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> This is annoying for users who must remember to add the ROOT > >>> > >>> JMeter > >>>>>>>>> > >>>>>>>>> certificate to browser every week . > >>>>>>>>> > >>>>>>>>> I would suggest setting it to 1 year or at least 1 month. > >>>>>>>>> > >>>>>>>>> Regards > >>>>>>>>> Philippe > >>>>>>>>> > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> Cordialement. > >>>>>> Philippe Mouawad. > >>>> > >>>> > >>>> > >>>> -- > >>>> Cordialement. > >>>> Philippe Mouawad. > >> > >> > >> > > > -- Cordialement. Philippe Mouawad.
