[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: could somebody work with https://formulario-mre.serpro.gov.br/sci/pages/web/pacomPasesWebInicial.jsf and get them to fix the certificate issue.



On Thu 2019-02-07 19:23:37 +0000, shirish शिरीष wrote:
> At the very least, those pages should have been translated to English
> or give some other place so people know of some workarounds rather
> than just using permanent exception.

permanent exception is a better choice than importing the brazilian
government's CA.  modern browsers like firefox and chrome grant
manually-imported CAs some significant powers that built-in CAs do not
get, such as the ability to override certificate pins or to avoid
certificate transparency requirements.

these choices are arguably to enable support for local,
explicitly-installed "enterprise TLS proxy solutions" that deliberately
MITM all your TLS traffic.  however, the result is that these local CAs
can violate some of the protections that you would otherwise want to
depend on.

safest approach (even though it's still pretty bad):

 * use a new browser profile ("firefox -ProfileManager") dedicated
   explicitly to this website
 * set an exception from that profile

 --dkg

Attachment: signature.asc
Description: PGP signature


Reply to: