midori

There aren't many NORMAL sites using self signed certificates. Moreover, it's duplicated, there is a solution already and severity should be LOW.

I broke it up into two separate issues.

1. http://www.twotoasts.de/bugs/index.php?do=details&task_id=35 deals with the https sites not being accessible via the address bar by default.
2. This bug deals with the lack of a self-signed warning.

Self-signed certificates are occasionally used on sites. We shouldn't ignore them because they aren't used often. Also, when a client gets a site that looks like their bank login, and has a self-signed cert, they should know.

And as I stated in the other bug report, the presented solution isn't viable.

"Also, when a client gets a site that looks like their bank login, and has a self-signed cert, they should know."

Yes, this is the security problem.

Furthermore there are many private sites, that are using self signed certificates. For example, I'm using one on my dyndns.org homepage, too.

Unfortunately I don't think Midori can currently do anything in that regard. I do agree it is somewhat important.

Provided that this change is made eventually, I'd like to take this opportunity to humbly request that such functionality be configurable. That is to say that I work at a web host and have to deal with over 9000 cpanel boxes a day, the great majority of which have self-signed certs for that interface, and thusly necessitates the ability to disable the self-signed check.

I second the request, it is an important issue that needs to be dealt with.

Imho this is a more generic task, like “support SSL”. What is needed is the architecture to display and manage SSL certificates (clients and CA), as well as the display of SSL warnings.

And indeed, the implementation should be “wise” to be secure enough and not bother people too much (and yeah, I think it might be hard).

As a first step in the direction, Midori git now colours the address entry in yellow if a secure location has a verifiable, known certificate and it colours the entry in red if the certificate is not verifiable, including self-signed certificates. In addition, on the right side an 'authentication' or 'question' icon is shown; the icons are a makeshift until Midori ships proper icons, which I didn't look into yet.
If for any reason no certificate file is found, a warning is printed.
This feature requires WebKitGTK+1.1.14 and libSoup is 2.29.91. With older versions, Midori will continue to not verify at all.

Note: we can't show any details about certificates right now, unless someone is willing to look into manually parsing certificate data. libSoup doesn't currently provide any details.

I disagree. One of the many reasons I quit using firefox was due to them wanting to help police my web. How many indy startups need a browser giving a warning to a user ? Would a warning say come on in or would it tell the end-user beware... and would that end-user feel safe in the end result of this "warning" ? The answer is no and that would affect said business, startup, blog, etc..

kenneth: Yes, the way Firefox does it is annoying, but you should learn what the intention of SSL is and how it works. It is useless without notifiyng the user when a certificate is not trusted.

Yeah, midori should display the warning the first time and alert the user, and then remember which certificate was used. It's important to warn the user if it changes, and maybe inform that it's a self signed one later, but no need to warn him everytime.