cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
n0u355lo
Making moves
Status: New idea

When connecting to a site, a lot of the TLS logic is in the background and not visible to the user. Mozilla should implement a policy that going forward, all TLS insights should be easily available to the user, and the browser shouldn't make any TLS operations that can't be verified.

For example a user can never know if a site passed the CRLite check correctly. Was the OCSP live check passed? Was there a stapled OCSP response? This should be included in the security info pop-up from the address bar and should include the following info:

status of all checks:
- CRLite
- Certificate Transparency log
- live OCSP (online CA check)
- stapled OCSP response

other relevant info:
- HSTS (and where this policy came from, i.e. the from the first visit or a preloaded list)
- Public Key Pinning
- any relevant DNS records that involve security

This would fix issues like the following:
why are some revoked certificates being allowed?
- https://revoked-isrgrootx1.letsencrypt.org/
- https://revoked.badssl.com/
are both allowed when live OCSP checks fail or are disabled, but this is not obvious to the user that any checks failed - and presumably these certificates were not revoked with a CRL)

- https://revoked.grc.com/
is correctly revoked even with a disabled live OCSP check (presumably because it is revoked with a CRL checked by CRLite? - again the user has no idea)

1 Comment
Status changed to: New idea
Jon
Community Manager
Community Manager

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.