TLS validation support

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
jonhconstantine11
500 Command not understood
Posts: 1
Joined: 2019-09-06 03:30
First name: lima
Last name: van

TLS validation support

#1 Post by jonhconstantine11 » 2019-09-06 03:38

Hello,

I was just wondering if your stance on not using the CA system in FileZilla Client has changed at all? Now that places like Let's Encrypt provide free certificates, and with all CAs now having to support Certificate Transparency, it seems like it would be a good idea to support the CA system rather than TOFU.

It seems unreasonable to expect users that probably know very little (more than likely nothing) about TLS to manually validate fingerprints. I also don't know of a single hosting provider that publishes or provides their fingerprints to compare against in the first place. It seems to me like this would just make people blindly click past any warnings and have no reasonable way of knowing if they were presented with the right certificate, whereas implementing validation via the CA system would at least provide some reasonable level of assurance without manual validation being needed.

At the very least, I think it would be nice to support validation for Let's Encrypt certificates, if you're not wanting to trust a large number of CAs.

Thanks

User avatar
botg
Site Admin
Posts: 32342
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: TLS validation support

#2 Post by botg » 2019-09-06 06:53

As an option perhaps. Need a lot of infrastructure work first though, especially on Windows. The Windows system trust store is fundamentally tainted with AV products installing their own root certificates in order to perform MITM attacks.

Post Reply