Something that’s been getting really annoying is how all of the browsers have gone to trying to ‘save the users from themselves’ by removing the ability to add permanent exceptions for a site that has an ‘invalid’ certificate. If you’ve ever worked with iDRACs, vCenter or some other internal, non public facing device or machine that uses SSL and doesn’t REALLY need to have a ‘legit’ certificate (Or can’t have a real, publicly trusted cert because it’s and internal .local domain), you probably know what I mean.
Might it be possible to enable/re-enable/create the ability to store permanent certificate exceptions like used to be possible with all browsers, or even better, that and the ability to whitelist by IP address or range, so that if the name of the machine being accessed returns an IP that’s whitelisted (or if you’re accessing directly by IP), the certificate is automatically considered safe? Even if the option to enable this was buried somewhere deep so it’s less likely to be enabled ‘by accident’, I imagine pretty much anyone in IT that routinely deals with devices like mentioned would love for this ability to return.
Sure, you can do that, it is annoying. BUT, did you read articles about this Log4j ? I think, it’s a Feature to NOT have the ability to permanently add a “trusted” server without a certificate.
I’m not sure what you’re referring to - I wasn’t indicating saving a trusted server with no certificate, I was saying have a permanent exception to a self signed certificate on a trusted server.
What’s worse is even in the case where you have an internal AD based certification authority for your internal domain with your internal root CA certificate installed in a machines certificate store, every third party browser I’ve tried will complain just the same as if it was a self signed, untrusted certificate, which created some other issues for me. IE is happy as can be with a certificate signed by an internal AD CA, as long as that CAs certificate is in the certificate store. Of course, IE is a dead browser at this point. But the fact that browsers ignore the machines certificate store in favor of their own is also a problem.
