Bug 139292 - Do not allow users to ignore SSL certificate warnings
Summary: Do not allow users to ignore SSL certificate warnings
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-04 23:24 PST by fn84b
Modified: 2014-12-06 00:38 PST (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description fn84b 2014-12-04 23:24:17 PST 
I suggest Safari to always disallow users from ignoring certificate errors. Two reasons:

1. Lots of people ignore warnings when they face real MITM attacks, and not all websites are able to use HSTS.

2. I see there are no good reasons to ignore certificate errors. If the servers are misconfigured, they should get the certificate issue fixed, rather than telling users to ignore warnings. Also even if users know the servers are using invalid (e.g. self-signed) certificates, they have no way to determine if the presented certificates are real self-signed certificates or signed by MITM. Also they can import the self-signed certificates into the OS trust store, if they are testing their own websites or they have other ways to verify the certificates.

Also, IE 11 on Windows 10 Preview already prevents users from clicking through certificate errors (you can try it on RemoteIE https://remote.modern.ie).

See also: https://code.google.com/p/chromium/issues/detail?id=439352 (Chrome)
https://bugzilla.mozilla.org/show_bug.cgi?id=1107804 (Firefox)
Comment 1 Alexey Proskuryakov 2014-12-06 00:38:19 PST 
Thank you for the suggestion!

What you describe is a Safari feature, not a WebKit one. We only track WebKit issues here in Bugzilla. 

Please contact Apple by filing a bug at bugreport.apple.com.