Epiphany 3.14 will block untrusted TLS connections

Hi distributors (and Epiphany users),

Epiphany beginning in 3.14 will block TLS connections from sites with
untrusted TLS certificates. We're doing this the same way as other major
browsers: we'll display a warning message to the user if the main
connection is untrusted (with a button to bypass the warning), and if
other connections are untrusted then we block them completely. For
example, if a site's CSS is untrusted, it will be blocked and the page
will not display properly.

Although we are handling verification failures the same way as other
major browsers, different browsers have different approaches to
certificate verification. We've received some complaints from users that
the new version of Epiphany is unable to display certain sites properly,
which have been traced back to certificate verification failures. There
are various distinct causes of these complaints. Since these bugs make
Epiphany seem like a bad browser to users, we'd appreciate it if you
carefully consider the impact of these issues when packaging GNOME 3.14.

1) Debian and Ubuntu-based distros are affected by a packaging bug in
Debian's ca-certificates package that results in some root certificates
being improperly disabled. [1] Needless to say, this is very bad. The
bug only affects users who upgrade between certain releases of the
package, so please consider if this bug could have affected your users.
If so, please either implement an automatic fix for the issue, or
attempt to notify users so that it can be fixed manually. Even if your
distro is not a Debian derivative, please check to ensure your
ca-certificates package is not based on Debian's if it has an
update-ca-certificates script.

2) The latest upstream version of ca-certificates removes several root
certs with 1024-bit RSA keys, even though valid certificates issued by
those certs are still in use [2]. Fedora 21 already has the latest
version of ca-certificates, and it has broken popular web sites,
including as amazon.com and kickstarter.com, in Epiphany. Please
consider delaying any planned update of this package for a few months,
until the fallout [3] has passed. Distros shipping GNOME 3.14 should
strongly consider sticking with the previous release of ca-certificates,
from March 2014.

3) Make sure to package glib-networking 2.42 for an important
certificate verification fix [4].


[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743339

Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]