On Wednesday, October 05 2011, Francesco Poli wrote: > On Sun, 19 Dec 2010 04:05:00 +0100 Witold Baryluk wrote: > > [...] >> Go to https://turtle.libre.fm/ >> (this site have expired ssl certificate, and it is issued to other domain). >> >> Address bar in midori will go red, yes, but there is no way to see what is >> wrong. > [...] > > I would like to add a little more information. > > As noted in the upstream bug [1], Midori currently lacks a certificate > manager and an accurate certificate verification mechanism. > > [1] https://bugs.launchpad.net/midori/+bug/706857 > > Moreover, the color of the location bar is sometimes misleading: it > happens that it becomes red ("Not verified"), and then, after clicking > on the little (i) icon, it becomes yellow ("Verified and encrypted > connection") upon reloading the page. Sometimes the opposite happens > (a page is considered verified, but turns into non-verified after > clicking on the little locker icon). > > I hope that these issues may be solved very soon. > Midori is a nice lightweight web browser with a great potential, but a > modern browser cannot afford lacking proper SSL certificate management > and verification!
Hi there, I am the new maintainer for Midori on Debian, and I am inclined to close this bug. As far as I understood from this (very old) discussion, what was missing was a way to identify whether a website's SSL/TLS certificate was valid or not, and take some action based on this. Well, Midori has been offering a way to "trust a website" if the certificate being used is not signed/valid, which means that the connection to the website does not happen until the user actively chooses to continue. While I agree that the current solution still needs some improvement, I do believe that, as far as security is concerned, the behavior described in this report does not exist anymore. Another thing worth mentioning is that the upstream bug has been closed for a while now. I realize it has been a long time since this bug (and this package) has received any attention, so I will wait a few days to see if anybody has anything else to say, and then I will close the bug if nobody complains. Thanks, -- Sergio GPG key ID: 237A 54B1 0287 28BF 00EF 31F4 D0EB 7628 65FC 5E36 Please send encrypted e-mail if possible http://sergiodj.net/
signature.asc
Description: PGP signature
