Corey QuinnIt’s a complete failure of infosec-meets-user-psychology that “this TLS certificate is issued for your bank and the server is sneaky hackerman dot com” and “this otherwise valid certificate expired a day ago” have the EXACT SAME USER EXPERIENCE.
hayden aiken 🇺🇲@Quinnypig I've been thinking about this a lot recently LOL. Since when do cert expirations regularly relate to a security problem or the site/vendor not being eligible to get new certs? Browsers seriously need to handle these openssl errors differently. It seems like openssl does have a bit of a "secure | there are errors" binary but it's not like the errors are opaque to the program...
rsalz@aikensource @Quinnypig I don't think any browsers use openssl now. The point is valid tho.
@rsalz dang it, you're completely right! I checked out the library dependencies for Chromium and Firefox, and they both use Mozilla's NSS, which is a comprehensive implementation of the same libraries as OpenSSL and more. TIL.
@aikensource Chromium uses BoringSSL. Maybe it uses NSS for some PKI code; I'm not sure.
@rsalz I saw that nss is a chromium dependency, my ignorance is showing tho
@aikensource they used to use NSS for the pkix stuff (cert validation, etc) and maybe they still do.