My OperaYou need to be logged in to post in the forums. If you do not have an account, please sign up first.
More advanced certificate management (i.e. per-domain)
'The web' is becoming more and more security-aware (paranoid, some might say) and at the same time less and less secure because of certification authorities issuing certificates for free and without real identity and authority checks. I bet I can get my hands on a certificate that will be trusted by all major browsers for a site that is not mine, based on my experience requesting a certificate for a site I was only granted some permissions for by a foundation. I am fairly sure the CA was not aware of this, yet it issued me the certificate.An article I read recently, on Ars Technica, explains some scenarios in which a MITM-like attack can be performed on a site without the clients noticing. Though it may sound somewhat unlikely, the article raises valid points about the current way certificate chains are managed. The default inclusion of some governments' root certificates also contributes to the feeling that the SSL chain trust may be compromised some day.
What I would like to have is a set of extended options for certificate management, so I can at least specify which root certificates I want to trust or don't want to trust (the inverse) for a particular (sub)domain or wildcard. For example, I protect my own site with a certificate signed by my own root CA, and with that knowledge in mind I don't want it to be possible for Opera to trust certificates signed by anyone else. Also, I think that when someone obtained a certificate somewhere, they are not very likely to switch CAs regularly, so it might also be useful to include an option to automatically trust the CA assosiated with some site for that site upon the first visit (meaning to not trust any other root CAs for that site). Lastly, I think it's generally a good idea to cache site certificates so the user can compare the old and new certificate once it changes, and then judge if the change is legit, i.e. the current date is near or past the expiration date of the old certificate.