On Thu 2019-02-07 19:23:37 +0000, shirish शिरीष wrote: > At the very least, those pages should have been translated to English > or give some other place so people know of some workarounds rather > than just using permanent exception. permanent exception is a better choice than importing the brazilian government's CA. modern browsers like firefox and chrome grant manually-imported CAs some significant powers that built-in CAs do not get, such as the ability to override certificate pins or to avoid certificate transparency requirements. these choices are arguably to enable support for local, explicitly-installed "enterprise TLS proxy solutions" that deliberately MITM all your TLS traffic. however, the result is that these local CAs can violate some of the protections that you would otherwise want to depend on. safest approach (even though it's still pretty bad): * use a new browser profile ("firefox -ProfileManager") dedicated explicitly to this website * set an exception from that profile --dkg
Attachment:
signature.asc
Description: PGP signature