AnsweredAssumed Answered

State institutions being it's own CA and graded with F

Question asked by j-mailor on Feb 14, 2014

 

Hi,

I have searched some state institutions web sites with ssllabs.com/ssltest and how well they have implemented SSL protocol. One of the most interesting thing is on ssltest they are all rated with F because they use not trusted certificate. Actually they are using a certificate issued by a state CA that is not included in browser as trusted root CA.

 

In this case user has to import a CA into browser (e.g. Firefox - I understand the risk and add the certificate).

 

I know this kind of manual adding the certificate to browser certificate store poses MITM-risk, but it is also not expected that state CA will be in browser certificate store.

 

In my humble opinion end-users should NEVER manually import certificate, because this is just risky and most of the end-users are not security experts to understand the risk. How do you think state CAs should act to stop this manually import madness?

Regards

Outcomes