Comment 16 for bug 332176
Revision history for this message
|
|
#16 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; it; rv:1.9.0.10) Gecko/2009042513 Ubuntu/8.04 (hardy) Firefox/3.0.10
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; it; rv:1.9.0.10) Gecko/2009042513 Ubuntu/8.04 (hardy) Firefox/3.0.10
This bug was reported in launchpad
https:/
Firefox doesn't warn the user if SSL certificate doesn't include OCSP extension. I think this is a high security issue for the user as, if the site he is visiting is protected by a SSL certificate that doesn't include this extension he cannot know if the certificate is valid (It could have been revoked but the browser, if OCSP protocol is anabled, cannot contact the OCSP server of the certification authority), or rather, he will think that the connection is safe (and this is worse!).
I think this bug, together the fact that only Firefox (that has maybe 20% of the browser market) has OCSP protocol enabled by default (MS Internet Explorer enables this only in Vista while Apple Safari doesn't enable it by default) makes world SSL connections virtually unsure.
Reproducible: Always