Quoth Charles Lehner: > I agree. The discussion of security also got me thinking that surf > should probably do something about HTTPS certificate verification. > > From the article: > > > Old versions of Epiphany and Midori load pages even if certificate > > verification fails; the verification result is only used to change the > > status of a security indicator, basically giving up your session > > cookies to attackers. > > I did a quick test visiting some sites with invalid certificates: > surf-webkit1 and surf-webkit2 load them without any notice. So I am > currently vulnerable to MitM attacks when using surf.
You can set strictssl to TRUE in config.h to fix this behaviour (at least with the webkit1 surf; haven't looked at the webkit2 one yet).
