Where is Epiphany's certificate store?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Where is Epiphany's certificate store?

mlinfoot
When I visit this site,https://stream1.fxxy.net/, in Google Chrome or Firefox I am connected and see that it's recognized as a secure site with a valid security certificate verified by COMODO RSA Domain Validation Secure Server CA. However, visiting the same URL with Epiphany 3.24.1, the connection is blocked with an error message: "This Connection is Not Secure" and "This website’s identification was not issued by a trusted organization." I suspect Ephiphany is using a different certificate store than Chrome or Firefox but I've been unable to locate it to add the Comodo certificate.

I tried to install the certificate following the instructions here: https://help.gnome.org/users/epiphany/stable/cert.html.en but it fails with " p11-kit: no configured writable location to store anchors".

I tried to set up a pointer in the Epiphany certificate db which would refer to the gnome-keyring certificate/key store following the instructions here (modified for my Ubuntu 17.04 system): https://wiki.gnome.org/Projects/GnomeKeyring/ApplicationSetup but this has had no effect. I've confirmed that the Comodo certificate is contained in the gnome-keyring.

Can anyone tell me where the Epiphany certificate store resides in Ubuntu Gnome, or if it's using the system store, why it's not recognizing the Comodo certificate as a valid certificate? Any help would be appreciated.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Where is Epiphany's certificate store?

Michael Catanzaro-2
Hi,

Epiphany uses your operating system's trust store, which is stored in a
distribution-specific location and is usually difficult to *correctly*
edit by hand. p11-kit is the best way to add additional certificates.
If p11-kit is broken on your operating system, then you can look up
distribution-specific documentation on how to edit your trust store
manually. But you really never want to do this.

Now, Epiphany is correct to block access to that website, because it
failed to send the required intermediate certificate. Firefox and
Chrome are both *arguably* wrong to display that website. They use NSS
for certificate verification, and the NSS developers have foolishly
decided that it's beneficial to cache intermediate certificates for use
in future certificate verification in order to reduce certificate
errors for users. I call this nondeterministic certificate
verification, and it is a really bad idea. Well, it was probably a good
idea 10 years ago, but the web is a different place nowadays. Today it
has no benefit and just results in developers not realizing their
websites are broken. WebKit does not cache certs and I'm strongly
opposed to it ever doing so. For more information on this problem you
can read this blog post:

https://blogs.gnome.org/mcatanzaro/2015/01/30/mozilla-is-responsible-for-the-redhat-corpmerchandise-com-fiasco/

If you try running `gnutls-cli stream1.fxxy.net` you'll notice it's
broken in exactly the same way as the website in that blog post.

Michael

_______________________________________________
epiphany-list mailing list
[hidden email]
https://mail.gnome.org/mailman/listinfo/epiphany-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Where is Epiphany's certificate store?

Michael Catanzaro-2
In reply to this post by mlinfoot
On Sun, Apr 23, 2017 at 11:45 AM, mlinfoot <[hidden email]> wrote:
> I tried to set up a pointer in the Epiphany certificate db which
> would refer to the gnome-keyring certificate/key store following the
> instructions here (modified for my Ubuntu 17.04 system):
> https://wiki.gnome.org/Projects/GnomeKeyring/ApplicationSetup but
> this has had no effect. I've confirmed that the Comodo certificate is
> contained in the gnome-keyring.

I've added a warning to this wiki page to mention that it's super
outdated. It looks like gnome-keyring had some NSS integration at one
point, or maybe still does, but Epiphany has not used NSS in about 10
years.

Michael

_______________________________________________
epiphany-list mailing list
[hidden email]
https://mail.gnome.org/mailman/listinfo/epiphany-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Where is Epiphany's certificate store?

mlinfoot
Michael, thank you for the explanation. The situation makes a lot more sense now; permissive vs strictly conforming. 

I appreciate the work you've done and I enjoy using Epiphany. Is there any way I can "tell" Epiphany that this is an exception and to trust the site regardless of its certificate? 
--

marshal

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Where is Epiphany's certificate store?

Michael Catanzaro-2
On Sun, Apr 23, 2017 at 1:48 PM, mlinfoot <[hidden email]> wrote:
> Michael, thank you for the explanation. The situation makes a lot
> more sense now; permissive vs strictly conforming.
>
> I appreciate the work you've done and I enjoy using Epiphany. Is
> there any way I can "tell" Epiphany that this is an exception and to
> trust the site regardless of its certificate?

No, there's no way to do this asides to use the Load Anyway button each
time you visit the website. Sorry.

Michael

_______________________________________________
epiphany-list mailing list
[hidden email]
https://mail.gnome.org/mailman/listinfo/epiphany-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Where is Epiphany's certificate store?

mlinfoot
Thanks again for your timely response. It seems I'll have to use Firefox or Chrome for that link because it's accessed via Javascript on another site and I never see the error page, it simply hangs. That's life on the wild Internet :)

All the best...

On Sun, 23 Apr 2017 at 15:28 Michael Catanzaro-2 [via Gnome - Apps] <[hidden email]> wrote:
On Sun, Apr 23, 2017 at 1:48 PM, mlinfoot <[hidden email]> wrote:
> Michael, thank you for the explanation. The situation makes a lot
> more sense now; permissive vs strictly conforming.
>
> I appreciate the work you've done and I enjoy using Epiphany. Is
> there any way I can "tell" Epiphany that this is an exception and to
> trust the site regardless of its certificate?

No, there's no way to do this asides to use the Load Anyway button each
time you visit the website. Sorry.

Michael

_______________________________________________
epiphany-list mailing list
[hidden email]
https://mail.gnome.org/mailman/listinfo/epiphany-list



If you reply to this email, your message will be added to the discussion below:
To unsubscribe from Where is Epiphany's certificate store?, click here.
NAML
--

marshal

Loading...