RESOLVED INVALID Bug 139292
Do not allow users to ignore SSL certificate warnings 
https://bugs.webkit.org/show_bug.cgi?id=139292
Summary Do not allow users to ignore SSL certificate warnings
fn84b
Reported 2014-12-04 23:24:17 PST
I suggest Safari to always disallow users from ignoring certificate errors. Two reasons: 1. Lots of people ignore warnings when they face real MITM attacks, and not all websites are able to use HSTS. 2. I see there are no good reasons to ignore certificate errors. If the servers are misconfigured, they should get the certificate issue fixed, rather than telling users to ignore warnings. Also even if users know the servers are using invalid (e.g. self-signed) certificates, they have no way to determine if the presented certificates are real self-signed certificates or signed by MITM. Also they can import the self-signed certificates into the OS trust store, if they are testing their own websites or they have other ways to verify the certificates. Also, IE 11 on Windows 10 Preview already prevents users from clicking through certificate errors (you can try it on RemoteIE https://remote.modern.ie). See also: https://code.google.com/p/chromium/issues/detail?id=439352 (Chrome) https://bugzilla.mozilla.org/show_bug.cgi?id=1107804 (Firefox)
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2014-12-06 00:38:19 PST
Thank you for the suggestion! What you describe is a Safari feature, not a WebKit one. We only track WebKit issues here in Bugzilla. Please contact Apple by filing a bug at bugreport.apple.com.
Note You need to log in before you can comment on or make changes to this bug.