Hacker News new | past | comments | ask | show | jobs | submit login

One thing that shocks me about this is the browser responses. Opera would not allow me to visit the sites affected, citing a revoked cert and possible attack. While I appreciate the warning, it was odd to see the site fully disabled.

Safari on the other hand silently failed the https auth and served the page regardless. Concerning behavior for a revoked cert.




That might depend on the specific Safari version. I am using Safari 10 on macOS Sierra, and it would not allow me to access any site using one of the affected certs: instead it would just serve an error page.


I think that was more because of the site, not the certificate - the grey failure page would appear for sites that use HSTS[0]. If the site didn't use HSTS or if you visited it for the first time, you'd get an ordinary certificate error alert.

[0] https://en.wikipedia.org/wiki/HSTS


It baffles me why do all browsers pretend that https with an untrusted certificate is worse than plain http.


I think because with plain http there should be no illusion of security.


Do you mean "we expect people not to have an illusion of security" or "we would want people not to have an illusion of security"?

I posit that this actually creates an illusion that http is better than "insecure" https.


Possibly your Safari had already cached an 'ok' result for the intermediate?


The os already has an ocsp cache.


The cert wasn't revoked though, just the cross signed intermediate.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: