[Users] Weird certificate update popups
Slavko
linux at slavino.sk
Wed Feb 19 16:07:21 UTC 2025
On 19. februára 2025 13:44:50 UTC, Michael Schwendt <bugs.michael at gmx.net> wrote:
>On Wed, 19 Feb 2025 12:42:50 +0000, Slavko wrote:
>
>> I am not aware of any requirements in TLS that all certificates
>> (for all IPs of the same name) have to be equal. Can you point
>> me?
>
>The more certs, the more often your users would be involved in verifying
>cert changes and renewals. Unless you want them to ignore that. It's also
>the reason why Claws Mail doesn't store more than one cert per hostname:port
>by default (but can be configured to do that via a hidden option and/or Clawsker).
Are you aware, that Let's Encrypt announced support of certificates
valid for 6 days? I am sure, that here will be many security "experts",
who will use them over world... Even 3 months certs (refreshed every
second by default) is too often for manual checking, as it will end
with blind confirmation (soon or later).
Checking certificate validity is not task for people, many of them
do not know what certificate is, and most of the rest don't know
how to properly validate it. Checking its subject/SANs is not sufficient
and checking its fingerprint is not easy (too long) and mostly not
secure (compare it with what).
If one has special requirements for securing communication, he
(she) often know why, how and what. But common people?
In other words, manual certificate check is mostly false feel of
security.
regards
--
Slavko
https://www.slavino.sk/
More information about the Users
mailing list