TLS validation support

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
xeon
226 Transfer OK
Posts: 131
Joined: 2009-08-19 03:18

TLS validation support

#1 Post by xeon » 2018-09-01 09:12

Hello,

I was just wondering if your stance on not using the CA system in FileZilla Client has changed at all? Now that places like Let's Encrypt provide free certificates, and with all CAs now having to support Certificate Transparency, it seems like it would be a good idea to support the CA system rather than TOFU.

It seems unreasonable to expect users that probably know very little (more than likely nothing) about TLS to manually validate fingerprints. I also don't know of a single hosting provider that publishes or provides their fingerprints to compare against in the first place. It seems to me like this would just make people blindly click past any warnings and have no reasonable way of knowing if they were presented with the right certificate, whereas implementing validation via the CA system would at least provide some reasonable level of assurance without manual validation being needed.

At the very least, I think it would be nice to support validation for Let's Encrypt certificates, if you're not wanting to trust a large number of CAs.

Thanks

Post Reply