undefined | Better HN

0 pointsalcari10y ago0 comments

It's scary how easy it is to add new roots on all major platforms. You just click on the CA link and get a response with the appropriate MIME type back, then:

* Windows gives you a helpful little wizard wherein you click "next" a few times.

* Firefox gives you a dialog with 3 checkboxes; check them and click okay.

* iOS sends you to settings, and asks you if you want to trust the given CA.

* OS X hands it to Keychain Access, where you have to select 'trust' from a dropdown and maybe enter a keychain password; it's a bit less intuitive.

* Chrome uses the OS trust store, so it hands it off to the OS while claiming it's a dangerous filetype.

0 comments

kojoru10y ago

You're incorrect about Windows. If you just click next several times the cert will not be added to trusted. To do that you'll have to override default settings in a non trivial way (deselect "Choose cert store automatically" and select the correct cert store) on one of the steps

I'm sure that's intentional design

alcariOP10y ago

Maybe it changed at some point (8?), or my memory's fuzzy. I haven't looked at it in several years.

Either way, trusting a root CA generally looks far less threatening than the self-signed certificate warnings.

j / k navigate · click thread line to collapse