W3C home > Mailing lists > Public > www-validator-css@w3.org > April 2010

Request for enhancement: better reporting for unverifiable SSL certificates

From: Bert Bos <bert@w3.org>
Date: Fri, 16 Apr 2010 11:03:39 +0200
To: www-validator-css@w3.org
Message-Id: <201004161103.39599.bert@w3.org>
When the CSS Validator cannot verify the SSL certificate of a site 
(i.e., of a URL starting with https://...), it gives a cryptic error 
message:

    I/O Error: sun.security.validator.ValidatorException: PKIX path
    building failed:
    sun.security.provider.certpath.SunCertPathBuilderException: unable
    to find valid certification path to requested target

(An example is https://magyarorszag.hu/ which uses a certificate signed 
by a Root Certification Authority, Microsec Ltd., that is unknown to 
Java. Another is https://www.phonk.net/ which uses a self-signed 
certificate.)

I'd like the validator to give a more readable error, e.g.: "The Web 
page you are trying to verify may not be secure. The certificate for 
the page is signed by a Certificate Authority that is unknown to the 
validator. The page has therefore not been validated."

And maybe it is even possible to add: "The validator can continue and 
check the style sheets of the Web page anyway, but please verify that 
the URL does not contain any sensitive information. (The fact that the 
validator cannot verify the identity of a site *may* indicate that an 
attacker is intercepting communications with the site, but in most 
cases it just means that the validator lacks information about the 
organizations that signed the certificate.)"

... with a button to continue the validation in "insecure" mode.



Bert
-- 
  Bert Bos                                ( W 3 C ) http://www.w3.org/
  http://www.w3.org/people/bos                               W3C/ERCIM
  bert@w3.org                             2004 Rt des Lucioles / BP 93
  +33 (0)4 92 38 76 92            06902 Sophia Antipolis Cedex, France
Received on Friday, 16 April 2010 09:03:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 June 2012 00:14:26 GMT