Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document password for client cert #369

Open
lgarron opened this issue Sep 25, 2018 · 8 comments
Open

Document password for client cert #369

lgarron opened this issue Sep 25, 2018 · 8 comments
Labels
enhancement

Comments

@lgarron
Copy link
Collaborator

lgarron commented Sep 25, 2018
edited
Loading

@diracdeltas ran into this.

Per 578f7a2#diff-c77ce27bee6905e8afa3b810dc48695c, the password is $DOMAIN (e.g. badssl.com in prod). We should probably document that at https://badssl.com/download/

cc @april
@april
Copy link
Collaborator

april commented Sep 25, 2018

It is, right there under Password.

screen shot 2018-09-25 at 5 31 59 pm

But it could probably stand to be a little clearer on the matter.

@april
Copy link
Collaborator

april commented Sep 25, 2018

Maybe make it bold? Or have a thing in the text underneath the box where it says that the password is badssl.com?

@lgarron
Copy link
Collaborator Author

lgarron commented Sep 25, 2018

Oh, wow. I did totally gloss over that. :-P

Box underneath sounds a little more noticeable to me. (Maybe also format as <code>?)

@diracdeltas
Copy link

Oops my bad! I totally missed that too

nicktimko added a commit to nicktimko/badssl.com that referenced this issue May 6, 2019
@nicktimko
Tweak formatting for client cert passwords
b5e1e90 
Completely overlooked it just like in chromium#369, hopefully this overkill formatting tweak can help those later.
@nicktimko nicktimko mentioned this issue May 6, 2019
Merged
christhompson pushed a commit that referenced this issue Jun 7, 2019
@nicktimko @christhompson
Tweak formatting for client cert passwords (#385)
03f02ab 
Completely overlooked it just like in #369, hopefully this overkill formatting tweak can help those later.
@christhompson
Copy link
Collaborator

#385 added bold+code formatting to the passwords. We might also want to add a note underneath, so leaving this open for now.

@Quuxplusone
Copy link

I agree, this was not at all obvious. There are several ways the ergonomics could be improved:

  • Use the term "passphrase" somewhere noticeable.

  • Add a sentence at the bottom of the page, below the table, that says "This .pem file is passphrase-protected. The passphrase is: xxxxx"

  • Even better: Add a new entry to the table, containing a PEM file with no passphrase protection. This will not only solve this particular problem (because there will be two entries for PEM files in the table, and the reader will thus be forced to study the other columns to figure out what the difference is); this solution will also solve unrelated problems, such as "I want to use this client cert with the Python requests library, but requests works only with client certs whose private keys are unencrypted."

  • Use a passphrase that cannot possibly be mistaken for a domain name or any other non-passphrase-related information. For example: password; the-password; hunter2; correct horse battery staple.

@SteveAlexander
Copy link

I just spent 20 mins looking in all the wrong places for this. Pretty annoying!

And great to see that there's a great solution to the problem here!

But then annoying that this solution was figured out a year ago, but it hasn't been put onto the badssl download page yet :-(

Please someone, make the change @Quuxplusone proposed before another developer wastes a precious half hour.

Quuxplusone pushed a commit to Quuxplusone/badssl.com that referenced this issue Aug 11, 2020
Create a "client-nopass.pem" for use with Python requests, and add it…
e022adb 
… to the download page.

Partly addresses chromium#369.
Using a passphrase other than "badssl.com" for the other files would also be great,
but is a larger change, I think.
@SteveAlexander
Copy link

by the way, I think the reason it's so easy to miss the password in the table on the page, is that the password is "badssl.com".

The problem is, the text "badssl.com" appears on the page 6 times (7 if you include the browser's URL bar). So the mind has already been kind of trained to ignore this as redundant information — "I already know what 'badssl.com' stands for! It's the domain name! therefore it can't be anything else"

There's probably some technical term for this in cognitive psychology

@Quuxplusone Quuxplusone mentioned this issue Aug 11, 2020
Open
Quuxplusone added a commit to Quuxplusone/badssl.com that referenced this issue Aug 11, 2020
@Quuxplusone
Create a "client-nopass.pem" for use with Python requests, and add it…
f78c336 
… to the download page.

Partly addresses chromium#369.
Using a passphrase other than "badssl.com" for the other files would also be great,
but is a larger change, I think.
@rymsha rymsha mentioned this issue Apr 20, 2021
Closed
Quuxplusone added a commit to Quuxplusone/badssl.com that referenced this issue Mar 31, 2022
@Quuxplusone
Create a "client-nopass.pem" for use with Python requests, and add it…
be4d81e 
… to the download page.

Partly addresses chromium#369.
Using a passphrase other than "badssl.com" for the other files would also be great,
but is a larger change, I think.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@christhompson @april @lgarron @diracdeltas @Quuxplusone @SteveAlexander