Setting to Ignore Invalid/Missing SSL Certificates
-
During software development we very often encounter browsers insisting that we dont go ahead loading a page in our own dev/stage/qa boxes site just because no one bothers to update certs in these servers, which is just internal corporate IT.
I didn't bother searching for an addon as I don't like cluttering my browser, but can we have Vivaldi be flexible about this make this a setting?
It could either be a setting or go by the fact that when someone uses localhost or an ip or 'qa' etc; instead of a registered domain, user knows what he is doing and ignore cert errors ?
Or maybe come up with a better auto-algorithm (I didn't have time to think one up
(@LonM already pointed out a CL argument, maybe use this as an experiment or feature ?)
Better still, would be just a pop-up that occurs for invalid cert sites that auto-vanishes followed up by something more noticeable than a broken lock, like a yellow address bar.
I would like to have just one shortcut to V, instead of another just for dev mode. -
Chromium core is pretty rough on "invalid" things.
But these option probably should be placed (if possible) as vivaldi://experiments and not as vivaldi setting.
Bypassing security could lead issue to most users so shouldn't be exposed too much in the settings UI. -
Not a Vivaldi solution, but could you use Let'sEncrypt to generate free certificates on the fly?
-
@hadden89 I agree !
-
@lonm The issue is not with us having to gen' them (which may work for local), but rather us accessing remote servers where we dont have the powers to install. But thanks for the link, I will try it out.
-
@rojaviv I know the feeling. I frequently have to deal with a server that doesn't even have an SSL/TLS certificate. That's going to be just as difficult to deal with in due time.
I did find this for chrome, it should work with Vivaldi (if chrome hasn't changed anything since then, I can't test it right now). Launch vivaldi using
vivaldi.exe --ignore-certificate-errors
. -
@lonm Awesone ! That was a neat find ! Now I can switch back to the short URL mode Thanks!
-
Still good to have an option for this though. I would prefer to be warned first, but with an option to ignore the warning .
-
@pesala A simple accept always/anywhere would break security for all non-special sites in the same session.
@rojaviv this feature seems to be dangerous enough to force experienced developers (all other should be kept away from this anyway) to maintain a whitelist of with specific single assignments broken certificate → allowed site.Maybe even force the user to import them manally for each site.
If a user does not know how to do that, should he really be allowed to mess with certificate settings at all? -
@becm I thought about the white list, but that would also be a pain to maintain (but of course be a last resort) when new servers are being reached (but something like the Add Web Site in Incognito-Filter could be done)
"Maybe even force the user to import them manually for each site." I'm no SSL expert, but can we really spoof certificates for a remote site we have no admin access to ?? Wouldn't that break the entire 'net ??
-
@rojaviv You probably could if you messed with the root certificates stored on your device, but that's a can of worms you probably don't want to open.
-
@lonm Meh...no way would I want to hack my box just to get this convenience
-
@rojaviv which error in a certificate to ignore (root cert / hostname) is solely decided by the client software.
As long as nobody publishes the private key, the approach to use an business internal root cert is actually more secure than anything the Browser does on a regular basis.
Every CA in the browser trust store can issue a perfectly valid cert for your dev sites as well (yes, the entire net is broken in this regard).The hostname/cert mismatch is a problem many production sites have as well.
@pesala @Hadden89 Some dev/test environments use the main company frontend server (regularly secured) with 3rd party includes from development locations (split DNS, same hostnames), so a simple on/off switch or visual indication for the top level site would not be very effective.
-
For a self-contained hacky workaround, I would setup a local transparent proxy for each internal website.
E.g. with Caddy:https://localhost:1443 { # or even setup a nickname in your hosts file, then add it here after a comma e.g. https://service1.local:1443 tls ../cert.pem ../key.pem # tls self_signed # alternatively, Vivaldi allows you to trust problematic localhost certs automatically (--allow-insecure-localhost) proxy / https://service1/ { transparent websocket insecure_skip_verify # this tells the Caddy proxy to ignore the website cert problems, and proxy it regardless } gzip log ./access1.log errors ./error1.log } https://localhost:2443 { tls self_signed proxy / https://service2/ { transparent websocket insecure_skip_verify } } # …
-
@lonm This still works! Thank you!
-
@dpierce618 not work @LonM
-
This post is deleted! -
This post is deleted! -
This post is deleted! -
-