TLS validation support
Posted: 2018-09-01 09:12
Hello,
I was just wondering if your stance on not using the CA system in FileZilla Client has changed at all? Now that places like Let's Encrypt provide free certificates, and with all CAs now having to support Certificate Transparency, it seems like it would be a good idea to support the CA system rather than TOFU.
It seems unreasonable to expect users that probably know very little (more than likely nothing) about TLS to manually validate fingerprints. I also don't know of a single hosting provider that publishes or provides their fingerprints to compare against in the first place. It seems to me like this would just make people blindly click past any warnings and have no reasonable way of knowing if they were presented with the right certificate, whereas implementing validation via the CA system would at least provide some reasonable level of assurance without manual validation being needed.
At the very least, I think it would be nice to support validation for Let's Encrypt certificates, if you're not wanting to trust a large number of CAs.
Thanks
I was just wondering if your stance on not using the CA system in FileZilla Client has changed at all? Now that places like Let's Encrypt provide free certificates, and with all CAs now having to support Certificate Transparency, it seems like it would be a good idea to support the CA system rather than TOFU.
It seems unreasonable to expect users that probably know very little (more than likely nothing) about TLS to manually validate fingerprints. I also don't know of a single hosting provider that publishes or provides their fingerprints to compare against in the first place. It seems to me like this would just make people blindly click past any warnings and have no reasonable way of knowing if they were presented with the right certificate, whereas implementing validation via the CA system would at least provide some reasonable level of assurance without manual validation being needed.
At the very least, I think it would be nice to support validation for Let's Encrypt certificates, if you're not wanting to trust a large number of CAs.
Thanks