Comments (13)
Could probably also do:
- Invalid fingerprint
- Missing required client certificate
- Incorrect key usage (ie, lacks keyEncipherment or serverAuth)
- Presumably you mean a revoked certificate, with OCSP / CT? If not, a certificate for revoked.badssl.com that has been revoked would be a nice demo.
Also, in addition to something like not.badssl.com (which is hilarious), it'd be neat to have a bleedingedge.badssl.com (ie, TLS 1.2, ECDHE, ECDSA, AEADs only).
from badssl.com.
weak DH would be great... but you'd probably need separate ones for 512-bit and 1024-bit (and maybe 768 as well).
from badssl.com.
Weak DH should be really easy to do, but I'm a bit worried about having too large of a pull request for lgarron to deal with. O_o
I think 768 is probably overkill -- I imagine most clients either treat it like 512 or treat it like 1024. Shall we call it broken-diffie-hellman.badssl.com and weak-diffie-hellman.badssl.com?
from badssl.com.
I think 768 is probably overkill -- I imagine most clients either treat it like 512 or treat it like 1024. Shall we call it broken-diffie-hellman.badssl.com and weak-diffie-hellman.badssl.com?
I ended up naming the ones we have dh480
and dh512
because:
- it's shorter,
- it's less subjective (the Chrome and Firefox errors for
dh480.badssl.com
) are actuallyWEAK_SERVER_EPHEMERAL_DH_KEY
rather than "broken"), and - even the OpenSSL source uses this abbreviation convention.
However, this makes it easy to include dh768
. If there are any clients that behave differently with dh768
, I think it would it be worth including.
from badssl.com.
I've split everything from this issue into individual issues. The first post has been updated with links to the issues.
from badssl.com.
IIRC, Safari was the only browser to even have the slightest frowny at dh512; I imagine its behavior changes at dh1024, but I will check when I get a chance.
from badssl.com.
Safari don't give me no frowney. :-(
Anyhow, it seems there might be more conversation to be had on DH, so I've made issue #35.
from badssl.com.
Weird, it looks like a regression in 10.10. I'm still on 10.9 over here:
http://i.imgur.com/hvAO3Bn.png
from badssl.com.
The red lock on your screenshot is probably the favicon. :-P
(I don't see anything else frowny, but then I'm zooming and panning on
mobile.)
On Fri, May 15, 2015 at 20:13 April King [email protected] wrote:
Weird, it looks like a regression in 10.10. I'm still on 10.9 over here:
http://i.imgur.com/hvAO3Bn.png
—
Reply to this email directly or view it on GitHub
#1 (comment).
from badssl.com.
That's the favicon? How embarrassing! I thought they all hid the favicon over https for this very reason. Looks like from your screenshot that they changed that behavior in 10.10.
Okay, so then no browser manufacturers alert for 512-bit DH keys. The only people that seem to actually be on top of it are the Qualys folks:
https://www.ssllabs.com/ssltest/analyze.html?d=dh512.badssl.com
... who rightly give dh512.badssl.com a failing grade.
from badssl.com.
That's the favicon? How embarrassing! I thought they all hid the favicon over https for this very reason.
No. No browser hides the favicon.
FYI that's even a technology which can be used in the attack ssl stripping to trick the user into believing they use HTTPS.
from badssl.com.
No. No browser hides the favicon.
While SSL stripping and favicon manipulation are definitely worrisome tricks, I hope you'll concede that Safari does hide the favicon while you're not editing the URL bar, as in the screenshot above. ;-)
from badssl.com.
Okay, okay. 😃
But I doubt that it shows the favicon on http:// connections...
from badssl.com.
Related Issues (20)
- Root CA used in client.badssl.com
- ECC Certs Expired HOT 1
- EV cert has just expired as well HOT 1
- null.badssl.com does not offer NULL cipher suites, does offer non-NULL cipher suites HOT 1
- Request: add DSA certificate HOT 1
- Certificate https://revoked.badssl.com/ has expired HOT 6
- Expired Certificate: extended-validation.badssl.com HOT 2
- thank you support this test web, I create a project domain-admin
- The certificate expires HOT 4
- Certificate expired: https://incomplete-chain.badssl.com/ HOT 1
- Certificate expired: captive-portal.badssl.com
- Certificate expired: badssl.com HOT 2
- how to use the badssl docker image with custom DNS name not badssl.test server for testing purposes ? HOT 1
- Add certificate with a too long validity period (>397/398 days & >825 days) HOT 1
- https://mixed-script.badssl.com/ HOT 4
- Expired certificate for incomplete-chain.badssl.com HOT 2
- As badssl.com seems dead - any recommended alternatives? HOT 2
- Error installing rubygems-update: rubygems-update requires Ruby version >= 3.0.0.
- sdgsg
- Expired Certificate For rsa8192.badssl.com HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from badssl.com.