https://bugs.kde.org/show_bug.cgi?id=415646
Bug ID: 415646
Summary: allow to view sha256 hash of unknown certificates
Product: Falkon
Version: 3.1.0
Platform: Other
OS: Linux
Status: REPORTED
Severity: major
Priority: NOR
Component: general
Assignee: now...@gmail.com
Reporter: estel...@elstel.org
Target Milestone: ---
If I visit a site with self signed certificate or if a CA has not been
preconfigured I am prompted to accept the certificate of this site. However
there is no way to check the validity of such a certificate. This is normally
done by comparing the sha256 hash of the cert in use against the hash of a
known good cert. A known good cert hash can f.i. be retrieved via DANE:
$ drill a.root-servers.net +trusted-key=/usr/share/dns/root.key +topdown
+sigchase TLSA _443._tcp.debian.org | egrep -v "^(;.*)?$"
_443._tcp.debian.org. 580 IN TLSA 3 1 1
5f33491e2b2d267f7bff096ad0dcb4ae5a22c0be19db0ab6728bed942f0719fc
It should be possible to view the sha256 hash of a cert before you accept it
and it should be possible to store such an exception permanently. For certain
use cases it is also necessary to disable all default CAs of libnss3 and to
only allow a certain list of hand picked certificates. There are some bad CAs
issuing rogue certs among this list and once you accept them your computer can
get cracked in the fraction of a second.
--
You are receiving this mail because:
You are watching all bug changes.
