5 Oct
2019
5 Oct
'19
1 p.m.
Hey Drebs :)
On Sat, Oct 05, 2019 at 09:29 -0300, drebs wrote:
holger krekel <holger(a)merlinux.eu> writes:
There are countries/entities that do not have easy access
to valid certs. And sometimes there are just lazy sysadmins.
A self-signed cert is not all that bad as it still prevents
data collection if the collector does not also actively
meddle with TLS.
We'd soon like to refine DC's TLS acceptance behaviour and give users
choices on how to deal with TLS invalidities, maybe also a dialogue.
Also, there is a starting effort to create a "provider-db"
(see a preliminary view into the DB here: https://providers.delta.chat )
where users and scripts contribute data so that for many common sites
DC would not accept invalid certs anymore if we know that there should
be a proper one. The upcoming provider-db also serves the purpose
to better guide users through the setup process.
cheers
holger
It's about testing TLS (Transport Layer
security) -- it works with valid
certificates but by default we also accept self-signed certs or "invalid
hostnames".
i'm curious about the use case that justifies ignoring the certification
chain. Why does deltachat need to accept invalid certificates?