Author Topic: A general Q on certificates for an embedded HTTPS server  (Read 2590 times)

0 Members and 1 Guest are viewing this topic.

Online Nominal Animal

  • Super Contributor
  • ***
  • Posts: 6432
  • Country: fi
    • My home page and email address
Re: A general Q on certificates for an embedded HTTPS server
« Reply #25 on: April 22, 2023, 02:42:54 pm »
The last time I checked manually added CAs were excempted in Firefox (organisations may need that for their internal chains), but no idea about the current status and other clients.
Manually added CAs (for organizations), and manually added self-signed certificates (for internal appliances and IoT things; including Azure IoT things according to Microsoft) are so common that it is extremely unlikely any major browser vendor will blacklist or disable them.

Even in the case of an exploit adding them without user intervention, the actual proper use cases are so useful to end users and organizations, that the only really acceptable solution will be to make it impossible to "silently add" certificates; including warning/prompting the user if new additional certificates are detected at profile load time.

Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo