Hi Kevin,
On Mon, Apr 14, 2014 at 09:31:04AM -0600, Kevin Fenzi wrote:
On Mon, 14 Apr 2014 08:50:33 +0200
Suvayu Ali <fatkasuvayu+linux(a)gmail.com> wrote:
>
> I was reading about Heartbleed and the results of the cloudflare
> challenge. The following post says, that particular server is using a
> revoked certificate and my browser should not show the page if
> certificate revocation is working properly.
>
> <
https://www.cloudflarechallenge.com/heartbleed>
>
> Firefox with OCSP enabled shows me this message:
>
> Peer's Certificate has been revoked.
> (Error code: sec_error_revoked_certificate)
>
> Midori however happily displays the page. A quick look tells me there
> is no way to enable something like OCSP.
Midori can use gcr, which might be able to do something here. Not sure.
The only gcr available however is gtk3, so we can't use it in a gtk2
midori. Once we move to webkit2 and gtk3 we can enable that...
I can look and see if gcr can actually do this...
I was not aware of Gcr, looks interesting.
> Can this be taken up with upstream? More importantly, I would
like to
> propose to drop midori from the spin until this is dealt with upstream
> (even if it means larger XFCE images); after all we do not want a less
> secure Fedora user.
>
> Any thoughts on this?
I personally think thats way too drastic. Many other browsers out there
don't handle revoked certs either.
That is true. I think Firefox is the only one that does it sensibly.
Do you want to file an upstream bug on it? Or shall i?
we should at least see where we are at...
It would be better if you could do it. I do not think I can follow up
with updates/comments reasonably quickly.
Cheers,
--
Suvayu
Open source is the future. It sets us free.