Increase validity duration of JMeter Root CA

[Philippe Mouawad <p....@ubik-ingenierie.com>]

Hello,
Currently :

   - proxy.cert.validity=7


This is annoying for users who must remember to add the ROOT JMeter
certificate to browser every week .

I would suggest setting it to 1 year or at least 1 month.

Regards
Philippe

Re: Increase validity duration of JMeter Root CA

[sebb <se...@gmail.com>]

On 26 July 2018 at 17:51, Philippe Mouawad
<p....@ubik-ingenierie.com> wrote:
> In this case, I let you revert code.

I see Felix has just done this - thanks.

> Regarding the incomplete analysis, please expose on  private how to do that.

Done.

> Thank you
>
> On Thursday, July 26, 2018, sebb <se...@gmail.com> wrote:
>
>> On 26 July 2018 at 07:10, Philippe Mouawad <ph...@gmail.com>
>> wrote:
>> > On Thursday, July 26, 2018, sebb <se...@gmail.com> wrote:
>> >
>> >> On 25 July 2018 at 21:14, Philippe Mouawad <ph...@gmail.com>
>> >> wrote:
>> >> > Hello,
>> >> > For now I increase validity to 3 months as there is a majority that
>> >> agrees.
>> >>
>> >> There is also a -1 from me.
>> >>
>> >> It is wrong to unilaterally change the default without giving the
>> >> users the chance to agree to the reduction in security.
>> >
>> >
>> > IMO, Issue was discussed and although you have a -1, there are 3 +1 and
>> > Felix looks neutral.
>>
>> Since this is a code change, my -1 is a veto.
>> That needs to be resolved.
>>
>> > From my understanding of your question to sec team, there is nothing
>> > blocker in terms of security here.
>> >
>> >
>> >> What are your plans to alert the users to the change?
>> >
>> >
>> > I ‘ll add a breaking change but you can add it to also if you think
>> you’ll
>> > be more clear.
>>
>> I think the user needs to agree to the change; it should not be forced
>> upon them.
>>
>> Note the response from Srijon Das else-thread.
>>
>> >>
>> >> > I guess in the future, Felix's proposal i better, but meanwhile, let's
>> >> > increase usability.
>> >>
>> >> No, that's just wrong.
>> >> Usability should not be done at the expense of security.
>> >
>> >
>> > That’s not my understanding of sec team answer and Milamber also
>> confirmed
>> > the risk was nearly the same.
>>
>> I think his analysis of the risk was incomplete.
>> I think it's possible to steal the cert and the password without
>> needing shell access to the host.
>>
>> > If you think things should be better, you ‘re welcome to propose a patch:
>> > - evolution of templating system to allow parameters and could be reused
>> > anywhere, for example on test plan creation
>> > - custom dialog to ask user for validity
>> >
>> > But status quo is not an option IMO.
>> > Security is very important to me, as you can see it per my involvement in
>> > fixing and helping on CVE report management, but when there is no real
>> > argument I don’t see why usability should be affected, UX is critical for
>> > tool adoption and perenity, and it looks like issue is a real one as per
>> > report from a user on this mail topic, as per my daily usage of JMeter
>> and
>> > as per trainings my company gives on it.
>> >
>> >>
>> >> > Regards
>> >> >
>> >> > On Thu, Jul 19, 2018 at 8:11 PM, Felix Schumacher <
>> >> > felix.schumacher@internetallee.de> wrote:
>> >> >
>> >> >> Would the addition of such a message remove the need for a longer
>> >> default
>> >> >> period?
>> >> >>
>> >> >> Or should we even let the user decide on generation how long it
>> should
>> >> be
>> >> >> valid? (with a short default like the seven days we currently have.)
>> >> >>
>> >> >> Felix
>> >> >>
>> >> >>
>> >> >>
>> >> >> Am 19.07.2018 um 15:06 schrieb Philippe Mouawad:
>> >> >>
>> >> >>> What ????
>> >> >>> You didn't read the manual :-) ?????
>> >> >>>
>> >> >>>
>> >> >>> Just kidding :-)
>> >> >>>
>> >> >>> Thanks for your ideas
>> >> >>>
>> >> >>> On Thu, Jul 19, 2018 at 3:05 PM, Srijon Das <sr...@gmail.com>
>> >> wrote:
>> >> >>>
>> >> >>> I was not aware that it is a configuration.
>> >> >>>>
>> >> >>>> Usually I see a pop-up which mentions that certificate is valid
>> for 7
>> >> >>>> days. Maybe we could mention that changing the config
>> >> proxy.cert.validity
>> >> >>>> will change the validity of the certificate.
>> >> >>>>
>> >> >>>> Sent from my iPhone
>> >> >>>>
>> >> >>>> On Jul 19, 2018, at 5:53 AM, Philippe Mouawad <
>> >> >>>>>
>> >> >>>> philippe.mouawad@gmail.com> wrote:
>> >> >>>>
>> >> >>>>> Hello,
>> >> >>>>> See:
>> >> >>>>> http://jmeter.apache.org/usermanual/properties_
>> >> >>>>>
>> >> >>>> reference.html#test_script_recorder_cert
>> >> >>>>
>> >> >>>>> The property is:
>> >> >>>>> proxy.cert.validity
>> >> >>>>>
>> >> >>>>> How would you like it improved ?
>> >> >>>>>
>> >> >>>>> Thanks
>> >> >>>>>
>> >> >>>>> On Thu, Jul 19, 2018 at 2:50 PM, Srijon Das <sr...@gmail.com>
>> >> >>>>>>
>> >> >>>>> wrote:
>> >> >>>>
>> >> >>>>> As a longtime jmeter user, I would like the option to decide how
>> >> long my
>> >> >>>>>> certificates will be valid, 1 week, 2 weeks, 3 weeks etc.  And
>> >> perhaps
>> >> >>>>>> a
>> >> >>>>>> warning describing the consequences of the security
>> vulnerabilities.
>> >> >>>>>>
>> >> >>>>>> Most jmeter users, I feel will be in a position to judge the
>> >> security
>> >> >>>>>>
>> >> >>>>> risk
>> >> >>>>
>> >> >>>>> themselves and use the certificate accordingly.
>> >> >>>>>>
>> >> >>>>>> Sent from my iPhone
>> >> >>>>>>
>> >> >>>>>> On Jul 19, 2018, at 4:06 AM, Milamber <mi...@apache.org>
>> wrote:
>> >> >>>>>>>
>> >> >>>>>>>
>> >> >>>>>>>
>> >> >>>>>>> On 19/07/2018 11:03, Philippe Mouawad wrote:
>> >> >>>>>>>>> On Thu, Jul 19, 2018 at 11:56 AM, sebb <se...@gmail.com>
>> wrote:
>> >> >>>>>>>>>
>> >> >>>>>>>>> On 19 July 2018 at 10:34, Philippe Mouawad <
>> >> >>>>>>>>>
>> >> >>>>>>>> philippe.mouawad@gmail.com
>> >> >>>>
>> >> >>>>> wrote:
>> >> >>>>>>>>>
>> >> >>>>>>>>>> On Thu, Jul 19, 2018 at 11:31 AM, sebb <se...@gmail.com>
>> >> wrote:
>> >> >>>>>>>>>>>
>> >> >>>>>>>>>>> On 19 July 2018 at 10:28, Philippe Mouawad <
>> >> >>>>>>>>>>>
>> >> >>>>>>>>>> philippe.mouawad@gmail.com>
>> >> >>>>>>
>> >> >>>>>>> wrote:
>> >> >>>>>>>>>>>
>> >> >>>>>>>>>>>> Hello sebb,
>> >> >>>>>>>>>>>>
>> >> >>>>>>>>>>>> Yes users can change, but once again, it means adjusting
>> >> >>>>>>>>>>>> defaults,
>> >> >>>>>>>>>>>>
>> >> >>>>>>>>>>> knowing
>> >> >>>>>>>>>>>
>> >> >>>>>>>>>>>> they can be adjusted and which property it is.
>> >> >>>>>>>>>>>>
>> >> >>>>>>>>>>> That can be documented.
>> >> >>>>>>>>>>>
>> >> >>>>>>>>>>> Which means all users read the whole documentation, do you
>> >> think
>> >> >>>>>>>>>>
>> >> >>>>>>>>> they
>> >> >>>>
>> >> >>>>> do
>> >> >>>>>>
>> >> >>>>>>> ?
>> >> >>>>>>>>>
>> >> >>>>>>>>>> I guess you know the famous RTFM :-)
>> >> >>>>>>>>>>
>> >> >>>>>>>>>>
>> >> >>>>>>>>>> Why not make defaults better for usability ?
>> >> >>>>>>>>>>>>
>> >> >>>>>>>>>>> Because it compromises security.
>> >> >>>>>>>>>>>
>> >> >>>>>>>>>>> Can you give more details ?
>> >> >>>>>>>>>>
>> >> >>>>>>>>> The point of a CA is to certify that a certificate chain is
>> >> valid.
>> >> >>>>>>>>> Locally generated CA certs do not do this.
>> >> >>>>>>>>> Once the cert has been approved by the browser, it can be
>> used to
>> >> >>>>>>>>> certify anything, including a spoof bank site etc.
>> >> >>>>>>>>>
>> >> >>>>>>>>> JMeter users may not understand that, and so may not take
>> >> sufficient
>> >> >>>>>>>>> care of the certificate and its password.
>> >> >>>>>>>>> Or they may forget that the cert has been added to the
>> browser.
>> >> >>>>>>>>>
>> >> >>>>>>>>> Even some official CAs have inadvertently exposed their certs.
>> >> >>>>>>>>>
>> >> >>>>>>>>> I don't think we should ship JMeter with deliberately weak
>> >> settings.
>> >> >>>>>>>>>
>> >> >>>>>>>>> Yes it may be inconvenient, but it is deliberately done to
>> >> minimise
>> >> >>>>>>>>> the effects of accidental certificate exposure.
>> >> >>>>>>>>>
>> >> >>>>>>>>> Users that understand the risks can override the setting, but
>> >> that
>> >> >>>>>>>>> is
>> >> >>>>>>>>> at their own risk.
>> >> >>>>>>>>>
>> >> >>>>>>>>> Remember that once the browser has stored the CA, it will be
>> >> active
>> >> >>>>>>>>> regardless of whether JMeter is actually being used.
>> >> >>>>>>>>> So the sooner it expires, the safer it is.
>> >> >>>>>>>>> Maybe a week is too *long*.
>> >> >>>>>>>>>
>> >> >>>>>>>>> I am aware of that, but it means attacker has accessed the
>> >> machine
>> >> >>>>>>>> of
>> >> >>>>>>>>
>> >> >>>>>>> user
>> >> >>>>>>
>> >> >>>>>>> to get the CA.
>> >> >>>>>>>> So the JMeter side is only a consequence, not root cause
>> >> >>>>>>>>
>> >> >>>>>>>
>> >> >>>>>>> The risk is the same if the duration is 7 days or 3 months,
>> because
>> >> >>>>>>> the
>> >> >>>>>>>
>> >> >>>>>> attacker need to have access to the private key of the temp
>> JMeter
>> >> CA
>> >> >>>>>>
>> >> >>>>> root
>> >> >>>>
>> >> >>>>> to generate some fake cert signed by the CA. This private key is
>> on
>> >> the
>> >> >>>>>> machine (keystore.jks)
>> >> >>>>>>
>> >> >>>>>>> And if an attacker have already an access to the machine, it's
>> can
>> >> add
>> >> >>>>>>>
>> >> >>>>>> directly another CA (not JMeter CA) into the certs vault on the
>> >> >>>>>>
>> >> >>>>> machine, to
>> >> >>>>
>> >> >>>>> made some malicious opérations...
>> >> >>>>>>
>> >> >>>>>>> 3 months seems good for me (this is the mean duration for my
>> load
>> >> test
>> >> >>>>>>>
>> >> >>>>>> missions)
>> >> >>>>>>
>> >> >>>>>>>
>> >> >>>>>>>
>> >> >>>>>>>
>> >> >>>>>>>
>> >> >>>>>>> It looks like 3 months would be good for Bruno, Antonio, me.
>> >> >>>>>>>>>>>> Is it really a blocker for you ? if yes why ?
>> >> >>>>>>>>>>>>
>> >> >>>>>>>>>>> As above.
>> >> >>>>>>>>>>>
>> >> >>>>>>>>>>> @Others what's your opinion ?
>> >> >>>>>>>>>>>>
>> >> >>>>>>>>>>>> Thanks
>> >> >>>>>>>>>>>>
>> >> >>>>>>>>>>>>
>> >> >>>>>>>>>>>>
>> >> >>>>>>>>>>>> On Thu, Jul 19, 2018 at 10:55 AM, sebb <se...@gmail.com>
>> >> wrote:
>> >> >>>>>>>>>>>>>
>> >> >>>>>>>>>>>>> It's a trade-off between convenience and security.
>> >> >>>>>>>>>>>>>
>> >> >>>>>>>>>>>>> It's risky adding the certificate to the browser.
>> >> >>>>>>>>>>>>>
>> >> >>>>>>>>>>>>> I don't think the default should be changed.
>> >> >>>>>>>>>>>>>
>> >> >>>>>>>>>>>>> Users can always change it themselves if they accept the
>> >> risks.
>> >> >>>>>>>>>>>>> E.g. if they use a separate browser installation that has
>> >> >>>>>>>>>>>>>
>> >> >>>>>>>>>>>> certificate,
>> >> >>>>>>>>>
>> >> >>>>>>>>>> then a longer validity is more sensible.
>> >> >>>>>>>>>>>>> It's too easy to forget that the cert has been added to
>> the
>> >> >>>>>>>>>>>>>
>> >> >>>>>>>>>>>> browser.
>> >> >>>>>>
>> >> >>>>>>> S.
>> >> >>>>>>>>>>>>> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <
>> >> >>>>>>>>>>>>>
>> >> >>>>>>>>>>>> ra0077@gmail.com>
>> >> >>>>>>
>> >> >>>>>>> wrote:
>> >> >>>>>>>>>>>>>
>> >> >>>>>>>>>>>>>> +1 for me
>> >> >>>>>>>>>>>>>>
>> >> >>>>>>>>>>>>>> Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
>> >> >>>>>>>>>>>>>> p.mouawad@ubik-ingenierie.com> a écrit :
>> >> >>>>>>>>>>>>>>
>> >> >>>>>>>>>>>>>> Hello,
>> >> >>>>>>>>>>>>>>> Currently :
>> >> >>>>>>>>>>>>>>>
>> >> >>>>>>>>>>>>>>>    - proxy.cert.validity=7
>> >> >>>>>>>>>>>>>>>
>> >> >>>>>>>>>>>>>>>
>> >> >>>>>>>>>>>>>>> This is annoying for users who must remember to add the
>> >> ROOT
>> >> >>>>>>>>>>>>>>>
>> >> >>>>>>>>>>>>>> JMeter
>> >> >>>>>>>>>
>> >> >>>>>>>>>> certificate to browser every week .
>> >> >>>>>>>>>>>>>>>
>> >> >>>>>>>>>>>>>>> I would suggest setting it to 1 year or at least 1
>> month.
>> >> >>>>>>>>>>>>>>>
>> >> >>>>>>>>>>>>>>> Regards
>> >> >>>>>>>>>>>>>>> Philippe
>> >> >>>>>>>>>>>>>>>
>> >> >>>>>>>>>>>>>>>
>> >> >>>>>>>>>>>> --
>> >> >>>>>>>>>>>> Cordialement.
>> >> >>>>>>>>>>>> Philippe Mouawad.
>> >> >>>>>>>>>>>>
>> >> >>>>>>>>>>>
>> >> >>>>>>>>>> --
>> >> >>>>>>>>>> Cordialement.
>> >> >>>>>>>>>> Philippe Mouawad.
>> >> >>>>>>>>>>
>> >> >>>>>>>>>
>> >> >>>>>>>>
>> >> >>>>>
>> >> >>>>> --
>> >> >>>>> Cordialement.
>> >> >>>>> Philippe Mouawad.
>> >> >>>>>
>> >> >>>>
>> >> >>>
>> >> >>>
>> >> >>
>> >> >
>> >> >
>> >> > --
>> >> > Cordialement.
>> >> > Philippe Mouawad.
>> >>
>> >
>> >
>> > --
>> > Cordialement.
>> > Philippe Mouawad.
>>
>
>
> --
> Cordialement.
> Philippe Mouawad.
> Ubik-Ingénierie
>
> UBIK LOAD PACK Web Site <http://www.ubikloadpack.com/>
>
> UBIK LOAD PACK on TWITTER <https://twitter.com/ubikloadpack>

Re: Increase validity duration of JMeter Root CA

[Philippe Mouawad <p....@ubik-ingenierie.com>]

In this case, I let you revert code.
Regarding the incomplete analysis, please expose on  private how to do that.

Thank you

On Thursday, July 26, 2018, sebb <se...@gmail.com> wrote:

> On 26 July 2018 at 07:10, Philippe Mouawad <ph...@gmail.com>
> wrote:
> > On Thursday, July 26, 2018, sebb <se...@gmail.com> wrote:
> >
> >> On 25 July 2018 at 21:14, Philippe Mouawad <ph...@gmail.com>
> >> wrote:
> >> > Hello,
> >> > For now I increase validity to 3 months as there is a majority that
> >> agrees.
> >>
> >> There is also a -1 from me.
> >>
> >> It is wrong to unilaterally change the default without giving the
> >> users the chance to agree to the reduction in security.
> >
> >
> > IMO, Issue was discussed and although you have a -1, there are 3 +1 and
> > Felix looks neutral.
>
> Since this is a code change, my -1 is a veto.
> That needs to be resolved.
>
> > From my understanding of your question to sec team, there is nothing
> > blocker in terms of security here.
> >
> >
> >> What are your plans to alert the users to the change?
> >
> >
> > I ‘ll add a breaking change but you can add it to also if you think
> you’ll
> > be more clear.
>
> I think the user needs to agree to the change; it should not be forced
> upon them.
>
> Note the response from Srijon Das else-thread.
>
> >>
> >> > I guess in the future, Felix's proposal i better, but meanwhile, let's
> >> > increase usability.
> >>
> >> No, that's just wrong.
> >> Usability should not be done at the expense of security.
> >
> >
> > That’s not my understanding of sec team answer and Milamber also
> confirmed
> > the risk was nearly the same.
>
> I think his analysis of the risk was incomplete.
> I think it's possible to steal the cert and the password without
> needing shell access to the host.
>
> > If you think things should be better, you ‘re welcome to propose a patch:
> > - evolution of templating system to allow parameters and could be reused
> > anywhere, for example on test plan creation
> > - custom dialog to ask user for validity
> >
> > But status quo is not an option IMO.
> > Security is very important to me, as you can see it per my involvement in
> > fixing and helping on CVE report management, but when there is no real
> > argument I don’t see why usability should be affected, UX is critical for
> > tool adoption and perenity, and it looks like issue is a real one as per
> > report from a user on this mail topic, as per my daily usage of JMeter
> and
> > as per trainings my company gives on it.
> >
> >>
> >> > Regards
> >> >
> >> > On Thu, Jul 19, 2018 at 8:11 PM, Felix Schumacher <
> >> > felix.schumacher@internetallee.de> wrote:
> >> >
> >> >> Would the addition of such a message remove the need for a longer
> >> default
> >> >> period?
> >> >>
> >> >> Or should we even let the user decide on generation how long it
> should
> >> be
> >> >> valid? (with a short default like the seven days we currently have.)
> >> >>
> >> >> Felix
> >> >>
> >> >>
> >> >>
> >> >> Am 19.07.2018 um 15:06 schrieb Philippe Mouawad:
> >> >>
> >> >>> What ????
> >> >>> You didn't read the manual :-) ?????
> >> >>>
> >> >>>
> >> >>> Just kidding :-)
> >> >>>
> >> >>> Thanks for your ideas
> >> >>>
> >> >>> On Thu, Jul 19, 2018 at 3:05 PM, Srijon Das <sr...@gmail.com>
> >> wrote:
> >> >>>
> >> >>> I was not aware that it is a configuration.
> >> >>>>
> >> >>>> Usually I see a pop-up which mentions that certificate is valid
> for 7
> >> >>>> days. Maybe we could mention that changing the config
> >> proxy.cert.validity
> >> >>>> will change the validity of the certificate.
> >> >>>>
> >> >>>> Sent from my iPhone
> >> >>>>
> >> >>>> On Jul 19, 2018, at 5:53 AM, Philippe Mouawad <
> >> >>>>>
> >> >>>> philippe.mouawad@gmail.com> wrote:
> >> >>>>
> >> >>>>> Hello,
> >> >>>>> See:
> >> >>>>> http://jmeter.apache.org/usermanual/properties_
> >> >>>>>
> >> >>>> reference.html#test_script_recorder_cert
> >> >>>>
> >> >>>>> The property is:
> >> >>>>> proxy.cert.validity
> >> >>>>>
> >> >>>>> How would you like it improved ?
> >> >>>>>
> >> >>>>> Thanks
> >> >>>>>
> >> >>>>> On Thu, Jul 19, 2018 at 2:50 PM, Srijon Das <sr...@gmail.com>
> >> >>>>>>
> >> >>>>> wrote:
> >> >>>>
> >> >>>>> As a longtime jmeter user, I would like the option to decide how
> >> long my
> >> >>>>>> certificates will be valid, 1 week, 2 weeks, 3 weeks etc.  And
> >> perhaps
> >> >>>>>> a
> >> >>>>>> warning describing the consequences of the security
> vulnerabilities.
> >> >>>>>>
> >> >>>>>> Most jmeter users, I feel will be in a position to judge the
> >> security
> >> >>>>>>
> >> >>>>> risk
> >> >>>>
> >> >>>>> themselves and use the certificate accordingly.
> >> >>>>>>
> >> >>>>>> Sent from my iPhone
> >> >>>>>>
> >> >>>>>> On Jul 19, 2018, at 4:06 AM, Milamber <mi...@apache.org>
> wrote:
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>> On 19/07/2018 11:03, Philippe Mouawad wrote:
> >> >>>>>>>>> On Thu, Jul 19, 2018 at 11:56 AM, sebb <se...@gmail.com>
> wrote:
> >> >>>>>>>>>
> >> >>>>>>>>> On 19 July 2018 at 10:34, Philippe Mouawad <
> >> >>>>>>>>>
> >> >>>>>>>> philippe.mouawad@gmail.com
> >> >>>>
> >> >>>>> wrote:
> >> >>>>>>>>>
> >> >>>>>>>>>> On Thu, Jul 19, 2018 at 11:31 AM, sebb <se...@gmail.com>
> >> wrote:
> >> >>>>>>>>>>>
> >> >>>>>>>>>>> On 19 July 2018 at 10:28, Philippe Mouawad <
> >> >>>>>>>>>>>
> >> >>>>>>>>>> philippe.mouawad@gmail.com>
> >> >>>>>>
> >> >>>>>>> wrote:
> >> >>>>>>>>>>>
> >> >>>>>>>>>>>> Hello sebb,
> >> >>>>>>>>>>>>
> >> >>>>>>>>>>>> Yes users can change, but once again, it means adjusting
> >> >>>>>>>>>>>> defaults,
> >> >>>>>>>>>>>>
> >> >>>>>>>>>>> knowing
> >> >>>>>>>>>>>
> >> >>>>>>>>>>>> they can be adjusted and which property it is.
> >> >>>>>>>>>>>>
> >> >>>>>>>>>>> That can be documented.
> >> >>>>>>>>>>>
> >> >>>>>>>>>>> Which means all users read the whole documentation, do you
> >> think
> >> >>>>>>>>>>
> >> >>>>>>>>> they
> >> >>>>
> >> >>>>> do
> >> >>>>>>
> >> >>>>>>> ?
> >> >>>>>>>>>
> >> >>>>>>>>>> I guess you know the famous RTFM :-)
> >> >>>>>>>>>>
> >> >>>>>>>>>>
> >> >>>>>>>>>> Why not make defaults better for usability ?
> >> >>>>>>>>>>>>
> >> >>>>>>>>>>> Because it compromises security.
> >> >>>>>>>>>>>
> >> >>>>>>>>>>> Can you give more details ?
> >> >>>>>>>>>>
> >> >>>>>>>>> The point of a CA is to certify that a certificate chain is
> >> valid.
> >> >>>>>>>>> Locally generated CA certs do not do this.
> >> >>>>>>>>> Once the cert has been approved by the browser, it can be
> used to
> >> >>>>>>>>> certify anything, including a spoof bank site etc.
> >> >>>>>>>>>
> >> >>>>>>>>> JMeter users may not understand that, and so may not take
> >> sufficient
> >> >>>>>>>>> care of the certificate and its password.
> >> >>>>>>>>> Or they may forget that the cert has been added to the
> browser.
> >> >>>>>>>>>
> >> >>>>>>>>> Even some official CAs have inadvertently exposed their certs.
> >> >>>>>>>>>
> >> >>>>>>>>> I don't think we should ship JMeter with deliberately weak
> >> settings.
> >> >>>>>>>>>
> >> >>>>>>>>> Yes it may be inconvenient, but it is deliberately done to
> >> minimise
> >> >>>>>>>>> the effects of accidental certificate exposure.
> >> >>>>>>>>>
> >> >>>>>>>>> Users that understand the risks can override the setting, but
> >> that
> >> >>>>>>>>> is
> >> >>>>>>>>> at their own risk.
> >> >>>>>>>>>
> >> >>>>>>>>> Remember that once the browser has stored the CA, it will be
> >> active
> >> >>>>>>>>> regardless of whether JMeter is actually being used.
> >> >>>>>>>>> So the sooner it expires, the safer it is.
> >> >>>>>>>>> Maybe a week is too *long*.
> >> >>>>>>>>>
> >> >>>>>>>>> I am aware of that, but it means attacker has accessed the
> >> machine
> >> >>>>>>>> of
> >> >>>>>>>>
> >> >>>>>>> user
> >> >>>>>>
> >> >>>>>>> to get the CA.
> >> >>>>>>>> So the JMeter side is only a consequence, not root cause
> >> >>>>>>>>
> >> >>>>>>>
> >> >>>>>>> The risk is the same if the duration is 7 days or 3 months,
> because
> >> >>>>>>> the
> >> >>>>>>>
> >> >>>>>> attacker need to have access to the private key of the temp
> JMeter
> >> CA
> >> >>>>>>
> >> >>>>> root
> >> >>>>
> >> >>>>> to generate some fake cert signed by the CA. This private key is
> on
> >> the
> >> >>>>>> machine (keystore.jks)
> >> >>>>>>
> >> >>>>>>> And if an attacker have already an access to the machine, it's
> can
> >> add
> >> >>>>>>>
> >> >>>>>> directly another CA (not JMeter CA) into the certs vault on the
> >> >>>>>>
> >> >>>>> machine, to
> >> >>>>
> >> >>>>> made some malicious opérations...
> >> >>>>>>
> >> >>>>>>> 3 months seems good for me (this is the mean duration for my
> load
> >> test
> >> >>>>>>>
> >> >>>>>> missions)
> >> >>>>>>
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>> It looks like 3 months would be good for Bruno, Antonio, me.
> >> >>>>>>>>>>>> Is it really a blocker for you ? if yes why ?
> >> >>>>>>>>>>>>
> >> >>>>>>>>>>> As above.
> >> >>>>>>>>>>>
> >> >>>>>>>>>>> @Others what's your opinion ?
> >> >>>>>>>>>>>>
> >> >>>>>>>>>>>> Thanks
> >> >>>>>>>>>>>>
> >> >>>>>>>>>>>>
> >> >>>>>>>>>>>>
> >> >>>>>>>>>>>> On Thu, Jul 19, 2018 at 10:55 AM, sebb <se...@gmail.com>
> >> wrote:
> >> >>>>>>>>>>>>>
> >> >>>>>>>>>>>>> It's a trade-off between convenience and security.
> >> >>>>>>>>>>>>>
> >> >>>>>>>>>>>>> It's risky adding the certificate to the browser.
> >> >>>>>>>>>>>>>
> >> >>>>>>>>>>>>> I don't think the default should be changed.
> >> >>>>>>>>>>>>>
> >> >>>>>>>>>>>>> Users can always change it themselves if they accept the
> >> risks.
> >> >>>>>>>>>>>>> E.g. if they use a separate browser installation that has
> >> >>>>>>>>>>>>>
> >> >>>>>>>>>>>> certificate,
> >> >>>>>>>>>
> >> >>>>>>>>>> then a longer validity is more sensible.
> >> >>>>>>>>>>>>> It's too easy to forget that the cert has been added to
> the
> >> >>>>>>>>>>>>>
> >> >>>>>>>>>>>> browser.
> >> >>>>>>
> >> >>>>>>> S.
> >> >>>>>>>>>>>>> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <
> >> >>>>>>>>>>>>>
> >> >>>>>>>>>>>> ra0077@gmail.com>
> >> >>>>>>
> >> >>>>>>> wrote:
> >> >>>>>>>>>>>>>
> >> >>>>>>>>>>>>>> +1 for me
> >> >>>>>>>>>>>>>>
> >> >>>>>>>>>>>>>> Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
> >> >>>>>>>>>>>>>> p.mouawad@ubik-ingenierie.com> a écrit :
> >> >>>>>>>>>>>>>>
> >> >>>>>>>>>>>>>> Hello,
> >> >>>>>>>>>>>>>>> Currently :
> >> >>>>>>>>>>>>>>>
> >> >>>>>>>>>>>>>>>    - proxy.cert.validity=7
> >> >>>>>>>>>>>>>>>
> >> >>>>>>>>>>>>>>>
> >> >>>>>>>>>>>>>>> This is annoying for users who must remember to add the
> >> ROOT
> >> >>>>>>>>>>>>>>>
> >> >>>>>>>>>>>>>> JMeter
> >> >>>>>>>>>
> >> >>>>>>>>>> certificate to browser every week .
> >> >>>>>>>>>>>>>>>
> >> >>>>>>>>>>>>>>> I would suggest setting it to 1 year or at least 1
> month.
> >> >>>>>>>>>>>>>>>
> >> >>>>>>>>>>>>>>> Regards
> >> >>>>>>>>>>>>>>> Philippe
> >> >>>>>>>>>>>>>>>
> >> >>>>>>>>>>>>>>>
> >> >>>>>>>>>>>> --
> >> >>>>>>>>>>>> Cordialement.
> >> >>>>>>>>>>>> Philippe Mouawad.
> >> >>>>>>>>>>>>
> >> >>>>>>>>>>>
> >> >>>>>>>>>> --
> >> >>>>>>>>>> Cordialement.
> >> >>>>>>>>>> Philippe Mouawad.
> >> >>>>>>>>>>
> >> >>>>>>>>>
> >> >>>>>>>>
> >> >>>>>
> >> >>>>> --
> >> >>>>> Cordialement.
> >> >>>>> Philippe Mouawad.
> >> >>>>>
> >> >>>>
> >> >>>
> >> >>>
> >> >>
> >> >
> >> >
> >> > --
> >> > Cordialement.
> >> > Philippe Mouawad.
> >>
> >
> >
> > --
> > Cordialement.
> > Philippe Mouawad.
>


-- 
Cordialement.
Philippe Mouawad.
Ubik-Ingénierie

UBIK LOAD PACK Web Site <http://www.ubikloadpack.com/>

UBIK LOAD PACK on TWITTER <https://twitter.com/ubikloadpack>

Re: Increase validity duration of JMeter Root CA

[sebb <se...@gmail.com>]

On 26 July 2018 at 07:10, Philippe Mouawad <ph...@gmail.com> wrote:
> On Thursday, July 26, 2018, sebb <se...@gmail.com> wrote:
>
>> On 25 July 2018 at 21:14, Philippe Mouawad <ph...@gmail.com>
>> wrote:
>> > Hello,
>> > For now I increase validity to 3 months as there is a majority that
>> agrees.
>>
>> There is also a -1 from me.
>>
>> It is wrong to unilaterally change the default without giving the
>> users the chance to agree to the reduction in security.
>
>
> IMO, Issue was discussed and although you have a -1, there are 3 +1 and
> Felix looks neutral.

Since this is a code change, my -1 is a veto.
That needs to be resolved.

> From my understanding of your question to sec team, there is nothing
> blocker in terms of security here.
>
>
>> What are your plans to alert the users to the change?
>
>
> I ‘ll add a breaking change but you can add it to also if you think you’ll
> be more clear.

I think the user needs to agree to the change; it should not be forced
upon them.

Note the response from Srijon Das else-thread.

>>
>> > I guess in the future, Felix's proposal i better, but meanwhile, let's
>> > increase usability.
>>
>> No, that's just wrong.
>> Usability should not be done at the expense of security.
>
>
> That’s not my understanding of sec team answer and Milamber also confirmed
> the risk was nearly the same.

I think his analysis of the risk was incomplete.
I think it's possible to steal the cert and the password without
needing shell access to the host.

> If you think things should be better, you ‘re welcome to propose a patch:
> - evolution of templating system to allow parameters and could be reused
> anywhere, for example on test plan creation
> - custom dialog to ask user for validity
>
> But status quo is not an option IMO.
> Security is very important to me, as you can see it per my involvement in
> fixing and helping on CVE report management, but when there is no real
> argument I don’t see why usability should be affected, UX is critical for
> tool adoption and perenity, and it looks like issue is a real one as per
> report from a user on this mail topic, as per my daily usage of JMeter and
> as per trainings my company gives on it.
>
>>
>> > Regards
>> >
>> > On Thu, Jul 19, 2018 at 8:11 PM, Felix Schumacher <
>> > felix.schumacher@internetallee.de> wrote:
>> >
>> >> Would the addition of such a message remove the need for a longer
>> default
>> >> period?
>> >>
>> >> Or should we even let the user decide on generation how long it should
>> be
>> >> valid? (with a short default like the seven days we currently have.)
>> >>
>> >> Felix
>> >>
>> >>
>> >>
>> >> Am 19.07.2018 um 15:06 schrieb Philippe Mouawad:
>> >>
>> >>> What ????
>> >>> You didn't read the manual :-) ?????
>> >>>
>> >>>
>> >>> Just kidding :-)
>> >>>
>> >>> Thanks for your ideas
>> >>>
>> >>> On Thu, Jul 19, 2018 at 3:05 PM, Srijon Das <sr...@gmail.com>
>> wrote:
>> >>>
>> >>> I was not aware that it is a configuration.
>> >>>>
>> >>>> Usually I see a pop-up which mentions that certificate is valid for 7
>> >>>> days. Maybe we could mention that changing the config
>> proxy.cert.validity
>> >>>> will change the validity of the certificate.
>> >>>>
>> >>>> Sent from my iPhone
>> >>>>
>> >>>> On Jul 19, 2018, at 5:53 AM, Philippe Mouawad <
>> >>>>>
>> >>>> philippe.mouawad@gmail.com> wrote:
>> >>>>
>> >>>>> Hello,
>> >>>>> See:
>> >>>>> http://jmeter.apache.org/usermanual/properties_
>> >>>>>
>> >>>> reference.html#test_script_recorder_cert
>> >>>>
>> >>>>> The property is:
>> >>>>> proxy.cert.validity
>> >>>>>
>> >>>>> How would you like it improved ?
>> >>>>>
>> >>>>> Thanks
>> >>>>>
>> >>>>> On Thu, Jul 19, 2018 at 2:50 PM, Srijon Das <sr...@gmail.com>
>> >>>>>>
>> >>>>> wrote:
>> >>>>
>> >>>>> As a longtime jmeter user, I would like the option to decide how
>> long my
>> >>>>>> certificates will be valid, 1 week, 2 weeks, 3 weeks etc.  And
>> perhaps
>> >>>>>> a
>> >>>>>> warning describing the consequences of the security vulnerabilities.
>> >>>>>>
>> >>>>>> Most jmeter users, I feel will be in a position to judge the
>> security
>> >>>>>>
>> >>>>> risk
>> >>>>
>> >>>>> themselves and use the certificate accordingly.
>> >>>>>>
>> >>>>>> Sent from my iPhone
>> >>>>>>
>> >>>>>> On Jul 19, 2018, at 4:06 AM, Milamber <mi...@apache.org> wrote:
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> On 19/07/2018 11:03, Philippe Mouawad wrote:
>> >>>>>>>>> On Thu, Jul 19, 2018 at 11:56 AM, sebb <se...@gmail.com> wrote:
>> >>>>>>>>>
>> >>>>>>>>> On 19 July 2018 at 10:34, Philippe Mouawad <
>> >>>>>>>>>
>> >>>>>>>> philippe.mouawad@gmail.com
>> >>>>
>> >>>>> wrote:
>> >>>>>>>>>
>> >>>>>>>>>> On Thu, Jul 19, 2018 at 11:31 AM, sebb <se...@gmail.com>
>> wrote:
>> >>>>>>>>>>>
>> >>>>>>>>>>> On 19 July 2018 at 10:28, Philippe Mouawad <
>> >>>>>>>>>>>
>> >>>>>>>>>> philippe.mouawad@gmail.com>
>> >>>>>>
>> >>>>>>> wrote:
>> >>>>>>>>>>>
>> >>>>>>>>>>>> Hello sebb,
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> Yes users can change, but once again, it means adjusting
>> >>>>>>>>>>>> defaults,
>> >>>>>>>>>>>>
>> >>>>>>>>>>> knowing
>> >>>>>>>>>>>
>> >>>>>>>>>>>> they can be adjusted and which property it is.
>> >>>>>>>>>>>>
>> >>>>>>>>>>> That can be documented.
>> >>>>>>>>>>>
>> >>>>>>>>>>> Which means all users read the whole documentation, do you
>> think
>> >>>>>>>>>>
>> >>>>>>>>> they
>> >>>>
>> >>>>> do
>> >>>>>>
>> >>>>>>> ?
>> >>>>>>>>>
>> >>>>>>>>>> I guess you know the famous RTFM :-)
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>> Why not make defaults better for usability ?
>> >>>>>>>>>>>>
>> >>>>>>>>>>> Because it compromises security.
>> >>>>>>>>>>>
>> >>>>>>>>>>> Can you give more details ?
>> >>>>>>>>>>
>> >>>>>>>>> The point of a CA is to certify that a certificate chain is
>> valid.
>> >>>>>>>>> Locally generated CA certs do not do this.
>> >>>>>>>>> Once the cert has been approved by the browser, it can be used to
>> >>>>>>>>> certify anything, including a spoof bank site etc.
>> >>>>>>>>>
>> >>>>>>>>> JMeter users may not understand that, and so may not take
>> sufficient
>> >>>>>>>>> care of the certificate and its password.
>> >>>>>>>>> Or they may forget that the cert has been added to the browser.
>> >>>>>>>>>
>> >>>>>>>>> Even some official CAs have inadvertently exposed their certs.
>> >>>>>>>>>
>> >>>>>>>>> I don't think we should ship JMeter with deliberately weak
>> settings.
>> >>>>>>>>>
>> >>>>>>>>> Yes it may be inconvenient, but it is deliberately done to
>> minimise
>> >>>>>>>>> the effects of accidental certificate exposure.
>> >>>>>>>>>
>> >>>>>>>>> Users that understand the risks can override the setting, but
>> that
>> >>>>>>>>> is
>> >>>>>>>>> at their own risk.
>> >>>>>>>>>
>> >>>>>>>>> Remember that once the browser has stored the CA, it will be
>> active
>> >>>>>>>>> regardless of whether JMeter is actually being used.
>> >>>>>>>>> So the sooner it expires, the safer it is.
>> >>>>>>>>> Maybe a week is too *long*.
>> >>>>>>>>>
>> >>>>>>>>> I am aware of that, but it means attacker has accessed the
>> machine
>> >>>>>>>> of
>> >>>>>>>>
>> >>>>>>> user
>> >>>>>>
>> >>>>>>> to get the CA.
>> >>>>>>>> So the JMeter side is only a consequence, not root cause
>> >>>>>>>>
>> >>>>>>>
>> >>>>>>> The risk is the same if the duration is 7 days or 3 months, because
>> >>>>>>> the
>> >>>>>>>
>> >>>>>> attacker need to have access to the private key of the temp JMeter
>> CA
>> >>>>>>
>> >>>>> root
>> >>>>
>> >>>>> to generate some fake cert signed by the CA. This private key is on
>> the
>> >>>>>> machine (keystore.jks)
>> >>>>>>
>> >>>>>>> And if an attacker have already an access to the machine, it's can
>> add
>> >>>>>>>
>> >>>>>> directly another CA (not JMeter CA) into the certs vault on the
>> >>>>>>
>> >>>>> machine, to
>> >>>>
>> >>>>> made some malicious opérations...
>> >>>>>>
>> >>>>>>> 3 months seems good for me (this is the mean duration for my load
>> test
>> >>>>>>>
>> >>>>>> missions)
>> >>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> It looks like 3 months would be good for Bruno, Antonio, me.
>> >>>>>>>>>>>> Is it really a blocker for you ? if yes why ?
>> >>>>>>>>>>>>
>> >>>>>>>>>>> As above.
>> >>>>>>>>>>>
>> >>>>>>>>>>> @Others what's your opinion ?
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> Thanks
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> On Thu, Jul 19, 2018 at 10:55 AM, sebb <se...@gmail.com>
>> wrote:
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>> It's a trade-off between convenience and security.
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>> It's risky adding the certificate to the browser.
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>> I don't think the default should be changed.
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>> Users can always change it themselves if they accept the
>> risks.
>> >>>>>>>>>>>>> E.g. if they use a separate browser installation that has
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>> certificate,
>> >>>>>>>>>
>> >>>>>>>>>> then a longer validity is more sensible.
>> >>>>>>>>>>>>> It's too easy to forget that the cert has been added to the
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>> browser.
>> >>>>>>
>> >>>>>>> S.
>> >>>>>>>>>>>>> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>> ra0077@gmail.com>
>> >>>>>>
>> >>>>>>> wrote:
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>>> +1 for me
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>> Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
>> >>>>>>>>>>>>>> p.mouawad@ubik-ingenierie.com> a écrit :
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>>>> Hello,
>> >>>>>>>>>>>>>>> Currently :
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>    - proxy.cert.validity=7
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> This is annoying for users who must remember to add the
>> ROOT
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>> JMeter
>> >>>>>>>>>
>> >>>>>>>>>> certificate to browser every week .
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> I would suggest setting it to 1 year or at least 1 month.
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>> Regards
>> >>>>>>>>>>>>>>> Philippe
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>> --
>> >>>>>>>>>>>> Cordialement.
>> >>>>>>>>>>>> Philippe Mouawad.
>> >>>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>> --
>> >>>>>>>>>> Cordialement.
>> >>>>>>>>>> Philippe Mouawad.
>> >>>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>
>> >>>>>
>> >>>>> --
>> >>>>> Cordialement.
>> >>>>> Philippe Mouawad.
>> >>>>>
>> >>>>
>> >>>
>> >>>
>> >>
>> >
>> >
>> > --
>> > Cordialement.
>> > Philippe Mouawad.
>>
>
>
> --
> Cordialement.
> Philippe Mouawad.

Increase validity duration of JMeter Root CA

[Philippe Mouawad <ph...@gmail.com>]

On Thursday, July 26, 2018, sebb <se...@gmail.com> wrote:

> On 25 July 2018 at 21:14, Philippe Mouawad <ph...@gmail.com>
> wrote:
> > Hello,
> > For now I increase validity to 3 months as there is a majority that
> agrees.
>
> There is also a -1 from me.
>
> It is wrong to unilaterally change the default without giving the
> users the chance to agree to the reduction in security.


IMO, Issue was discussed and although you have a -1, there are 3 +1 and
Felix looks neutral.

From my understanding of your question to sec team, there is nothing
blocker in terms of security here.


> What are your plans to alert the users to the change?


I ‘ll add a breaking change but you can add it to also if you think you’ll
be more clear.

>
> > I guess in the future, Felix's proposal i better, but meanwhile, let's
> > increase usability.
>
> No, that's just wrong.
> Usability should not be done at the expense of security.


That’s not my understanding of sec team answer and Milamber also confirmed
the risk was nearly the same.

If you think things should be better, you ‘re welcome to propose a patch:
- evolution of templating system to allow parameters and could be reused
anywhere, for example on test plan creation
- custom dialog to ask user for validity

But status quo is not an option IMO.
Security is very important to me, as you can see it per my involvement in
fixing and helping on CVE report management, but when there is no real
argument I don’t see why usability should be affected, UX is critical for
tool adoption and perenity, and it looks like issue is a real one as per
report from a user on this mail topic, as per my daily usage of JMeter and
as per trainings my company gives on it.

>
> > Regards
> >
> > On Thu, Jul 19, 2018 at 8:11 PM, Felix Schumacher <
> > felix.schumacher@internetallee.de> wrote:
> >
> >> Would the addition of such a message remove the need for a longer
> default
> >> period?
> >>
> >> Or should we even let the user decide on generation how long it should
> be
> >> valid? (with a short default like the seven days we currently have.)
> >>
> >> Felix
> >>
> >>
> >>
> >> Am 19.07.2018 um 15:06 schrieb Philippe Mouawad:
> >>
> >>> What ????
> >>> You didn't read the manual :-) ?????
> >>>
> >>>
> >>> Just kidding :-)
> >>>
> >>> Thanks for your ideas
> >>>
> >>> On Thu, Jul 19, 2018 at 3:05 PM, Srijon Das <sr...@gmail.com>
> wrote:
> >>>
> >>> I was not aware that it is a configuration.
> >>>>
> >>>> Usually I see a pop-up which mentions that certificate is valid for 7
> >>>> days. Maybe we could mention that changing the config
> proxy.cert.validity
> >>>> will change the validity of the certificate.
> >>>>
> >>>> Sent from my iPhone
> >>>>
> >>>> On Jul 19, 2018, at 5:53 AM, Philippe Mouawad <
> >>>>>
> >>>> philippe.mouawad@gmail.com> wrote:
> >>>>
> >>>>> Hello,
> >>>>> See:
> >>>>> http://jmeter.apache.org/usermanual/properties_
> >>>>>
> >>>> reference.html#test_script_recorder_cert
> >>>>
> >>>>> The property is:
> >>>>> proxy.cert.validity
> >>>>>
> >>>>> How would you like it improved ?
> >>>>>
> >>>>> Thanks
> >>>>>
> >>>>> On Thu, Jul 19, 2018 at 2:50 PM, Srijon Das <sr...@gmail.com>
> >>>>>>
> >>>>> wrote:
> >>>>
> >>>>> As a longtime jmeter user, I would like the option to decide how
> long my
> >>>>>> certificates will be valid, 1 week, 2 weeks, 3 weeks etc.  And
> perhaps
> >>>>>> a
> >>>>>> warning describing the consequences of the security vulnerabilities.
> >>>>>>
> >>>>>> Most jmeter users, I feel will be in a position to judge the
> security
> >>>>>>
> >>>>> risk
> >>>>
> >>>>> themselves and use the certificate accordingly.
> >>>>>>
> >>>>>> Sent from my iPhone
> >>>>>>
> >>>>>> On Jul 19, 2018, at 4:06 AM, Milamber <mi...@apache.org> wrote:
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> On 19/07/2018 11:03, Philippe Mouawad wrote:
> >>>>>>>>> On Thu, Jul 19, 2018 at 11:56 AM, sebb <se...@gmail.com> wrote:
> >>>>>>>>>
> >>>>>>>>> On 19 July 2018 at 10:34, Philippe Mouawad <
> >>>>>>>>>
> >>>>>>>> philippe.mouawad@gmail.com
> >>>>
> >>>>> wrote:
> >>>>>>>>>
> >>>>>>>>>> On Thu, Jul 19, 2018 at 11:31 AM, sebb <se...@gmail.com>
> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>> On 19 July 2018 at 10:28, Philippe Mouawad <
> >>>>>>>>>>>
> >>>>>>>>>> philippe.mouawad@gmail.com>
> >>>>>>
> >>>>>>> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>>> Hello sebb,
> >>>>>>>>>>>>
> >>>>>>>>>>>> Yes users can change, but once again, it means adjusting
> >>>>>>>>>>>> defaults,
> >>>>>>>>>>>>
> >>>>>>>>>>> knowing
> >>>>>>>>>>>
> >>>>>>>>>>>> they can be adjusted and which property it is.
> >>>>>>>>>>>>
> >>>>>>>>>>> That can be documented.
> >>>>>>>>>>>
> >>>>>>>>>>> Which means all users read the whole documentation, do you
> think
> >>>>>>>>>>
> >>>>>>>>> they
> >>>>
> >>>>> do
> >>>>>>
> >>>>>>> ?
> >>>>>>>>>
> >>>>>>>>>> I guess you know the famous RTFM :-)
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> Why not make defaults better for usability ?
> >>>>>>>>>>>>
> >>>>>>>>>>> Because it compromises security.
> >>>>>>>>>>>
> >>>>>>>>>>> Can you give more details ?
> >>>>>>>>>>
> >>>>>>>>> The point of a CA is to certify that a certificate chain is
> valid.
> >>>>>>>>> Locally generated CA certs do not do this.
> >>>>>>>>> Once the cert has been approved by the browser, it can be used to
> >>>>>>>>> certify anything, including a spoof bank site etc.
> >>>>>>>>>
> >>>>>>>>> JMeter users may not understand that, and so may not take
> sufficient
> >>>>>>>>> care of the certificate and its password.
> >>>>>>>>> Or they may forget that the cert has been added to the browser.
> >>>>>>>>>
> >>>>>>>>> Even some official CAs have inadvertently exposed their certs.
> >>>>>>>>>
> >>>>>>>>> I don't think we should ship JMeter with deliberately weak
> settings.
> >>>>>>>>>
> >>>>>>>>> Yes it may be inconvenient, but it is deliberately done to
> minimise
> >>>>>>>>> the effects of accidental certificate exposure.
> >>>>>>>>>
> >>>>>>>>> Users that understand the risks can override the setting, but
> that
> >>>>>>>>> is
> >>>>>>>>> at their own risk.
> >>>>>>>>>
> >>>>>>>>> Remember that once the browser has stored the CA, it will be
> active
> >>>>>>>>> regardless of whether JMeter is actually being used.
> >>>>>>>>> So the sooner it expires, the safer it is.
> >>>>>>>>> Maybe a week is too *long*.
> >>>>>>>>>
> >>>>>>>>> I am aware of that, but it means attacker has accessed the
> machine
> >>>>>>>> of
> >>>>>>>>
> >>>>>>> user
> >>>>>>
> >>>>>>> to get the CA.
> >>>>>>>> So the JMeter side is only a consequence, not root cause
> >>>>>>>>
> >>>>>>>
> >>>>>>> The risk is the same if the duration is 7 days or 3 months, because
> >>>>>>> the
> >>>>>>>
> >>>>>> attacker need to have access to the private key of the temp JMeter
> CA
> >>>>>>
> >>>>> root
> >>>>
> >>>>> to generate some fake cert signed by the CA. This private key is on
> the
> >>>>>> machine (keystore.jks)
> >>>>>>
> >>>>>>> And if an attacker have already an access to the machine, it's can
> add
> >>>>>>>
> >>>>>> directly another CA (not JMeter CA) into the certs vault on the
> >>>>>>
> >>>>> machine, to
> >>>>
> >>>>> made some malicious opérations...
> >>>>>>
> >>>>>>> 3 months seems good for me (this is the mean duration for my load
> test
> >>>>>>>
> >>>>>> missions)
> >>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> It looks like 3 months would be good for Bruno, Antonio, me.
> >>>>>>>>>>>> Is it really a blocker for you ? if yes why ?
> >>>>>>>>>>>>
> >>>>>>>>>>> As above.
> >>>>>>>>>>>
> >>>>>>>>>>> @Others what's your opinion ?
> >>>>>>>>>>>>
> >>>>>>>>>>>> Thanks
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> On Thu, Jul 19, 2018 at 10:55 AM, sebb <se...@gmail.com>
> wrote:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> It's a trade-off between convenience and security.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> It's risky adding the certificate to the browser.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> I don't think the default should be changed.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Users can always change it themselves if they accept the
> risks.
> >>>>>>>>>>>>> E.g. if they use a separate browser installation that has
> >>>>>>>>>>>>>
> >>>>>>>>>>>> certificate,
> >>>>>>>>>
> >>>>>>>>>> then a longer validity is more sensible.
> >>>>>>>>>>>>> It's too easy to forget that the cert has been added to the
> >>>>>>>>>>>>>
> >>>>>>>>>>>> browser.
> >>>>>>
> >>>>>>> S.
> >>>>>>>>>>>>> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <
> >>>>>>>>>>>>>
> >>>>>>>>>>>> ra0077@gmail.com>
> >>>>>>
> >>>>>>> wrote:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>> +1 for me
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
> >>>>>>>>>>>>>> p.mouawad@ubik-ingenierie.com> a écrit :
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Hello,
> >>>>>>>>>>>>>>> Currently :
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>    - proxy.cert.validity=7
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> This is annoying for users who must remember to add the
> ROOT
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>> JMeter
> >>>>>>>>>
> >>>>>>>>>> certificate to browser every week .
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> I would suggest setting it to 1 year or at least 1 month.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Regards
> >>>>>>>>>>>>>>> Philippe
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>> --
> >>>>>>>>>>>> Cordialement.
> >>>>>>>>>>>> Philippe Mouawad.
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>> --
> >>>>>>>>>> Cordialement.
> >>>>>>>>>> Philippe Mouawad.
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>
> >>>>> --
> >>>>> Cordialement.
> >>>>> Philippe Mouawad.
> >>>>>
> >>>>
> >>>
> >>>
> >>
> >
> >
> > --
> > Cordialement.
> > Philippe Mouawad.
>


-- 
Cordialement.
Philippe Mouawad.

Re: Increase validity duration of JMeter Root CA

[sebb <se...@gmail.com>]

On 25 July 2018 at 21:14, Philippe Mouawad <ph...@gmail.com> wrote:
> Hello,
> For now I increase validity to 3 months as there is a majority that agrees.

There is also a -1 from me.

It is wrong to unilaterally change the default without giving the
users the chance to agree to the reduction in security.

What are your plans to alert the users to the change?

> I guess in the future, Felix's proposal i better, but meanwhile, let's
> increase usability.

No, that's just wrong.
Usability should not be done at the expense of security.

> Regards
>
> On Thu, Jul 19, 2018 at 8:11 PM, Felix Schumacher <
> felix.schumacher@internetallee.de> wrote:
>
>> Would the addition of such a message remove the need for a longer default
>> period?
>>
>> Or should we even let the user decide on generation how long it should be
>> valid? (with a short default like the seven days we currently have.)
>>
>> Felix
>>
>>
>>
>> Am 19.07.2018 um 15:06 schrieb Philippe Mouawad:
>>
>>> What ????
>>> You didn't read the manual :-) ?????
>>>
>>>
>>> Just kidding :-)
>>>
>>> Thanks for your ideas
>>>
>>> On Thu, Jul 19, 2018 at 3:05 PM, Srijon Das <sr...@gmail.com> wrote:
>>>
>>> I was not aware that it is a configuration.
>>>>
>>>> Usually I see a pop-up which mentions that certificate is valid for 7
>>>> days. Maybe we could mention that changing the config proxy.cert.validity
>>>> will change the validity of the certificate.
>>>>
>>>> Sent from my iPhone
>>>>
>>>> On Jul 19, 2018, at 5:53 AM, Philippe Mouawad <
>>>>>
>>>> philippe.mouawad@gmail.com> wrote:
>>>>
>>>>> Hello,
>>>>> See:
>>>>> http://jmeter.apache.org/usermanual/properties_
>>>>>
>>>> reference.html#test_script_recorder_cert
>>>>
>>>>> The property is:
>>>>> proxy.cert.validity
>>>>>
>>>>> How would you like it improved ?
>>>>>
>>>>> Thanks
>>>>>
>>>>> On Thu, Jul 19, 2018 at 2:50 PM, Srijon Das <sr...@gmail.com>
>>>>>>
>>>>> wrote:
>>>>
>>>>> As a longtime jmeter user, I would like the option to decide how long my
>>>>>> certificates will be valid, 1 week, 2 weeks, 3 weeks etc.  And perhaps
>>>>>> a
>>>>>> warning describing the consequences of the security vulnerabilities.
>>>>>>
>>>>>> Most jmeter users, I feel will be in a position to judge the security
>>>>>>
>>>>> risk
>>>>
>>>>> themselves and use the certificate accordingly.
>>>>>>
>>>>>> Sent from my iPhone
>>>>>>
>>>>>> On Jul 19, 2018, at 4:06 AM, Milamber <mi...@apache.org> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 19/07/2018 11:03, Philippe Mouawad wrote:
>>>>>>>>> On Thu, Jul 19, 2018 at 11:56 AM, sebb <se...@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>> On 19 July 2018 at 10:34, Philippe Mouawad <
>>>>>>>>>
>>>>>>>> philippe.mouawad@gmail.com
>>>>
>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> On Thu, Jul 19, 2018 at 11:31 AM, sebb <se...@gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>> On 19 July 2018 at 10:28, Philippe Mouawad <
>>>>>>>>>>>
>>>>>>>>>> philippe.mouawad@gmail.com>
>>>>>>
>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hello sebb,
>>>>>>>>>>>>
>>>>>>>>>>>> Yes users can change, but once again, it means adjusting
>>>>>>>>>>>> defaults,
>>>>>>>>>>>>
>>>>>>>>>>> knowing
>>>>>>>>>>>
>>>>>>>>>>>> they can be adjusted and which property it is.
>>>>>>>>>>>>
>>>>>>>>>>> That can be documented.
>>>>>>>>>>>
>>>>>>>>>>> Which means all users read the whole documentation, do you think
>>>>>>>>>>
>>>>>>>>> they
>>>>
>>>>> do
>>>>>>
>>>>>>> ?
>>>>>>>>>
>>>>>>>>>> I guess you know the famous RTFM :-)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Why not make defaults better for usability ?
>>>>>>>>>>>>
>>>>>>>>>>> Because it compromises security.
>>>>>>>>>>>
>>>>>>>>>>> Can you give more details ?
>>>>>>>>>>
>>>>>>>>> The point of a CA is to certify that a certificate chain is valid.
>>>>>>>>> Locally generated CA certs do not do this.
>>>>>>>>> Once the cert has been approved by the browser, it can be used to
>>>>>>>>> certify anything, including a spoof bank site etc.
>>>>>>>>>
>>>>>>>>> JMeter users may not understand that, and so may not take sufficient
>>>>>>>>> care of the certificate and its password.
>>>>>>>>> Or they may forget that the cert has been added to the browser.
>>>>>>>>>
>>>>>>>>> Even some official CAs have inadvertently exposed their certs.
>>>>>>>>>
>>>>>>>>> I don't think we should ship JMeter with deliberately weak settings.
>>>>>>>>>
>>>>>>>>> Yes it may be inconvenient, but it is deliberately done to minimise
>>>>>>>>> the effects of accidental certificate exposure.
>>>>>>>>>
>>>>>>>>> Users that understand the risks can override the setting, but that
>>>>>>>>> is
>>>>>>>>> at their own risk.
>>>>>>>>>
>>>>>>>>> Remember that once the browser has stored the CA, it will be active
>>>>>>>>> regardless of whether JMeter is actually being used.
>>>>>>>>> So the sooner it expires, the safer it is.
>>>>>>>>> Maybe a week is too *long*.
>>>>>>>>>
>>>>>>>>> I am aware of that, but it means attacker has accessed the machine
>>>>>>>> of
>>>>>>>>
>>>>>>> user
>>>>>>
>>>>>>> to get the CA.
>>>>>>>> So the JMeter side is only a consequence, not root cause
>>>>>>>>
>>>>>>>
>>>>>>> The risk is the same if the duration is 7 days or 3 months, because
>>>>>>> the
>>>>>>>
>>>>>> attacker need to have access to the private key of the temp JMeter CA
>>>>>>
>>>>> root
>>>>
>>>>> to generate some fake cert signed by the CA. This private key is on the
>>>>>> machine (keystore.jks)
>>>>>>
>>>>>>> And if an attacker have already an access to the machine, it's can add
>>>>>>>
>>>>>> directly another CA (not JMeter CA) into the certs vault on the
>>>>>>
>>>>> machine, to
>>>>
>>>>> made some malicious opérations...
>>>>>>
>>>>>>> 3 months seems good for me (this is the mean duration for my load test
>>>>>>>
>>>>>> missions)
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> It looks like 3 months would be good for Bruno, Antonio, me.
>>>>>>>>>>>> Is it really a blocker for you ? if yes why ?
>>>>>>>>>>>>
>>>>>>>>>>> As above.
>>>>>>>>>>>
>>>>>>>>>>> @Others what's your opinion ?
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Thu, Jul 19, 2018 at 10:55 AM, sebb <se...@gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> It's a trade-off between convenience and security.
>>>>>>>>>>>>>
>>>>>>>>>>>>> It's risky adding the certificate to the browser.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I don't think the default should be changed.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Users can always change it themselves if they accept the risks.
>>>>>>>>>>>>> E.g. if they use a separate browser installation that has
>>>>>>>>>>>>>
>>>>>>>>>>>> certificate,
>>>>>>>>>
>>>>>>>>>> then a longer validity is more sensible.
>>>>>>>>>>>>> It's too easy to forget that the cert has been added to the
>>>>>>>>>>>>>
>>>>>>>>>>>> browser.
>>>>>>
>>>>>>> S.
>>>>>>>>>>>>> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <
>>>>>>>>>>>>>
>>>>>>>>>>>> ra0077@gmail.com>
>>>>>>
>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> +1 for me
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
>>>>>>>>>>>>>> p.mouawad@ubik-ingenierie.com> a écrit :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>> Currently :
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>    - proxy.cert.validity=7
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> This is annoying for users who must remember to add the ROOT
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> JMeter
>>>>>>>>>
>>>>>>>>>> certificate to browser every week .
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I would suggest setting it to 1 year or at least 1 month.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Regards
>>>>>>>>>>>>>>> Philippe
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Cordialement.
>>>>>>>>>>>> Philippe Mouawad.
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Cordialement.
>>>>>>>>>> Philippe Mouawad.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>
>>>>> --
>>>>> Cordialement.
>>>>> Philippe Mouawad.
>>>>>
>>>>
>>>
>>>
>>
>
>
> --
> Cordialement.
> Philippe Mouawad.

Re: Increase validity duration of JMeter Root CA

[Philippe Mouawad <ph...@gmail.com>]

See:
https://bz.apache.org/bugzilla/show_bug.cgi?id=62570

On Wed, Jul 25, 2018 at 10:14 PM, Philippe Mouawad <
philippe.mouawad@gmail.com> wrote:

> Hello,
> For now I increase validity to 3 months as there is a majority that agrees.
>
> I guess in the future, Felix's proposal i better, but meanwhile, let's
> increase usability.
>
> Regards
>
> On Thu, Jul 19, 2018 at 8:11 PM, Felix Schumacher <felix.schumacher@
> internetallee.de> wrote:
>
>> Would the addition of such a message remove the need for a longer default
>> period?
>>
>> Or should we even let the user decide on generation how long it should be
>> valid? (with a short default like the seven days we currently have.)
>>
>> Felix
>>
>>
>>
>> Am 19.07.2018 um 15:06 schrieb Philippe Mouawad:
>>
>>> What ????
>>> You didn't read the manual :-) ?????
>>>
>>>
>>> Just kidding :-)
>>>
>>> Thanks for your ideas
>>>
>>> On Thu, Jul 19, 2018 at 3:05 PM, Srijon Das <sr...@gmail.com> wrote:
>>>
>>> I was not aware that it is a configuration.
>>>>
>>>> Usually I see a pop-up which mentions that certificate is valid for 7
>>>> days. Maybe we could mention that changing the config
>>>> proxy.cert.validity
>>>> will change the validity of the certificate.
>>>>
>>>> Sent from my iPhone
>>>>
>>>> On Jul 19, 2018, at 5:53 AM, Philippe Mouawad <
>>>>>
>>>> philippe.mouawad@gmail.com> wrote:
>>>>
>>>>> Hello,
>>>>> See:
>>>>> http://jmeter.apache.org/usermanual/properties_
>>>>>
>>>> reference.html#test_script_recorder_cert
>>>>
>>>>> The property is:
>>>>> proxy.cert.validity
>>>>>
>>>>> How would you like it improved ?
>>>>>
>>>>> Thanks
>>>>>
>>>>> On Thu, Jul 19, 2018 at 2:50 PM, Srijon Das <sr...@gmail.com>
>>>>>>
>>>>> wrote:
>>>>
>>>>> As a longtime jmeter user, I would like the option to decide how long
>>>>>> my
>>>>>> certificates will be valid, 1 week, 2 weeks, 3 weeks etc.  And
>>>>>> perhaps a
>>>>>> warning describing the consequences of the security vulnerabilities.
>>>>>>
>>>>>> Most jmeter users, I feel will be in a position to judge the security
>>>>>>
>>>>> risk
>>>>
>>>>> themselves and use the certificate accordingly.
>>>>>>
>>>>>> Sent from my iPhone
>>>>>>
>>>>>> On Jul 19, 2018, at 4:06 AM, Milamber <mi...@apache.org> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 19/07/2018 11:03, Philippe Mouawad wrote:
>>>>>>>>> On Thu, Jul 19, 2018 at 11:56 AM, sebb <se...@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>> On 19 July 2018 at 10:34, Philippe Mouawad <
>>>>>>>>>
>>>>>>>> philippe.mouawad@gmail.com
>>>>
>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> On Thu, Jul 19, 2018 at 11:31 AM, sebb <se...@gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>> On 19 July 2018 at 10:28, Philippe Mouawad <
>>>>>>>>>>>
>>>>>>>>>> philippe.mouawad@gmail.com>
>>>>>>
>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hello sebb,
>>>>>>>>>>>>
>>>>>>>>>>>> Yes users can change, but once again, it means adjusting
>>>>>>>>>>>> defaults,
>>>>>>>>>>>>
>>>>>>>>>>> knowing
>>>>>>>>>>>
>>>>>>>>>>>> they can be adjusted and which property it is.
>>>>>>>>>>>>
>>>>>>>>>>> That can be documented.
>>>>>>>>>>>
>>>>>>>>>>> Which means all users read the whole documentation, do you think
>>>>>>>>>>
>>>>>>>>> they
>>>>
>>>>> do
>>>>>>
>>>>>>> ?
>>>>>>>>>
>>>>>>>>>> I guess you know the famous RTFM :-)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Why not make defaults better for usability ?
>>>>>>>>>>>>
>>>>>>>>>>> Because it compromises security.
>>>>>>>>>>>
>>>>>>>>>>> Can you give more details ?
>>>>>>>>>>
>>>>>>>>> The point of a CA is to certify that a certificate chain is valid.
>>>>>>>>> Locally generated CA certs do not do this.
>>>>>>>>> Once the cert has been approved by the browser, it can be used to
>>>>>>>>> certify anything, including a spoof bank site etc.
>>>>>>>>>
>>>>>>>>> JMeter users may not understand that, and so may not take
>>>>>>>>> sufficient
>>>>>>>>> care of the certificate and its password.
>>>>>>>>> Or they may forget that the cert has been added to the browser.
>>>>>>>>>
>>>>>>>>> Even some official CAs have inadvertently exposed their certs.
>>>>>>>>>
>>>>>>>>> I don't think we should ship JMeter with deliberately weak
>>>>>>>>> settings.
>>>>>>>>>
>>>>>>>>> Yes it may be inconvenient, but it is deliberately done to minimise
>>>>>>>>> the effects of accidental certificate exposure.
>>>>>>>>>
>>>>>>>>> Users that understand the risks can override the setting, but that
>>>>>>>>> is
>>>>>>>>> at their own risk.
>>>>>>>>>
>>>>>>>>> Remember that once the browser has stored the CA, it will be active
>>>>>>>>> regardless of whether JMeter is actually being used.
>>>>>>>>> So the sooner it expires, the safer it is.
>>>>>>>>> Maybe a week is too *long*.
>>>>>>>>>
>>>>>>>>> I am aware of that, but it means attacker has accessed the machine
>>>>>>>> of
>>>>>>>>
>>>>>>> user
>>>>>>
>>>>>>> to get the CA.
>>>>>>>> So the JMeter side is only a consequence, not root cause
>>>>>>>>
>>>>>>>
>>>>>>> The risk is the same if the duration is 7 days or 3 months, because
>>>>>>> the
>>>>>>>
>>>>>> attacker need to have access to the private key of the temp JMeter CA
>>>>>>
>>>>> root
>>>>
>>>>> to generate some fake cert signed by the CA. This private key is on the
>>>>>> machine (keystore.jks)
>>>>>>
>>>>>>> And if an attacker have already an access to the machine, it's can
>>>>>>> add
>>>>>>>
>>>>>> directly another CA (not JMeter CA) into the certs vault on the
>>>>>>
>>>>> machine, to
>>>>
>>>>> made some malicious opérations...
>>>>>>
>>>>>>> 3 months seems good for me (this is the mean duration for my load
>>>>>>> test
>>>>>>>
>>>>>> missions)
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> It looks like 3 months would be good for Bruno, Antonio, me.
>>>>>>>>>>>> Is it really a blocker for you ? if yes why ?
>>>>>>>>>>>>
>>>>>>>>>>> As above.
>>>>>>>>>>>
>>>>>>>>>>> @Others what's your opinion ?
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Thu, Jul 19, 2018 at 10:55 AM, sebb <se...@gmail.com>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> It's a trade-off between convenience and security.
>>>>>>>>>>>>>
>>>>>>>>>>>>> It's risky adding the certificate to the browser.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I don't think the default should be changed.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Users can always change it themselves if they accept the risks.
>>>>>>>>>>>>> E.g. if they use a separate browser installation that has
>>>>>>>>>>>>>
>>>>>>>>>>>> certificate,
>>>>>>>>>
>>>>>>>>>> then a longer validity is more sensible.
>>>>>>>>>>>>> It's too easy to forget that the cert has been added to the
>>>>>>>>>>>>>
>>>>>>>>>>>> browser.
>>>>>>
>>>>>>> S.
>>>>>>>>>>>>> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <
>>>>>>>>>>>>>
>>>>>>>>>>>> ra0077@gmail.com>
>>>>>>
>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> +1 for me
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
>>>>>>>>>>>>>> p.mouawad@ubik-ingenierie.com> a écrit :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>> Currently :
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>    - proxy.cert.validity=7
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> This is annoying for users who must remember to add the ROOT
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> JMeter
>>>>>>>>>
>>>>>>>>>> certificate to browser every week .
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I would suggest setting it to 1 year or at least 1 month.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Regards
>>>>>>>>>>>>>>> Philippe
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Cordialement.
>>>>>>>>>>>> Philippe Mouawad.
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Cordialement.
>>>>>>>>>> Philippe Mouawad.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>
>>>>> --
>>>>> Cordialement.
>>>>> Philippe Mouawad.
>>>>>
>>>>
>>>
>>>
>>
>
>
> --
> Cordialement.
> Philippe Mouawad.
>
>
>


-- 
Cordialement.
Philippe Mouawad.

Re: Increase validity duration of JMeter Root CA

[Philippe Mouawad <ph...@gmail.com>]

Hello,
For now I increase validity to 3 months as there is a majority that agrees.

I guess in the future, Felix's proposal i better, but meanwhile, let's
increase usability.

Regards

On Thu, Jul 19, 2018 at 8:11 PM, Felix Schumacher <
felix.schumacher@internetallee.de> wrote:

> Would the addition of such a message remove the need for a longer default
> period?
>
> Or should we even let the user decide on generation how long it should be
> valid? (with a short default like the seven days we currently have.)
>
> Felix
>
>
>
> Am 19.07.2018 um 15:06 schrieb Philippe Mouawad:
>
>> What ????
>> You didn't read the manual :-) ?????
>>
>>
>> Just kidding :-)
>>
>> Thanks for your ideas
>>
>> On Thu, Jul 19, 2018 at 3:05 PM, Srijon Das <sr...@gmail.com> wrote:
>>
>> I was not aware that it is a configuration.
>>>
>>> Usually I see a pop-up which mentions that certificate is valid for 7
>>> days. Maybe we could mention that changing the config proxy.cert.validity
>>> will change the validity of the certificate.
>>>
>>> Sent from my iPhone
>>>
>>> On Jul 19, 2018, at 5:53 AM, Philippe Mouawad <
>>>>
>>> philippe.mouawad@gmail.com> wrote:
>>>
>>>> Hello,
>>>> See:
>>>> http://jmeter.apache.org/usermanual/properties_
>>>>
>>> reference.html#test_script_recorder_cert
>>>
>>>> The property is:
>>>> proxy.cert.validity
>>>>
>>>> How would you like it improved ?
>>>>
>>>> Thanks
>>>>
>>>> On Thu, Jul 19, 2018 at 2:50 PM, Srijon Das <sr...@gmail.com>
>>>>>
>>>> wrote:
>>>
>>>> As a longtime jmeter user, I would like the option to decide how long my
>>>>> certificates will be valid, 1 week, 2 weeks, 3 weeks etc.  And perhaps
>>>>> a
>>>>> warning describing the consequences of the security vulnerabilities.
>>>>>
>>>>> Most jmeter users, I feel will be in a position to judge the security
>>>>>
>>>> risk
>>>
>>>> themselves and use the certificate accordingly.
>>>>>
>>>>> Sent from my iPhone
>>>>>
>>>>> On Jul 19, 2018, at 4:06 AM, Milamber <mi...@apache.org> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 19/07/2018 11:03, Philippe Mouawad wrote:
>>>>>>>> On Thu, Jul 19, 2018 at 11:56 AM, sebb <se...@gmail.com> wrote:
>>>>>>>>
>>>>>>>> On 19 July 2018 at 10:34, Philippe Mouawad <
>>>>>>>>
>>>>>>> philippe.mouawad@gmail.com
>>>
>>>> wrote:
>>>>>>>>
>>>>>>>>> On Thu, Jul 19, 2018 at 11:31 AM, sebb <se...@gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>> On 19 July 2018 at 10:28, Philippe Mouawad <
>>>>>>>>>>
>>>>>>>>> philippe.mouawad@gmail.com>
>>>>>
>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hello sebb,
>>>>>>>>>>>
>>>>>>>>>>> Yes users can change, but once again, it means adjusting
>>>>>>>>>>> defaults,
>>>>>>>>>>>
>>>>>>>>>> knowing
>>>>>>>>>>
>>>>>>>>>>> they can be adjusted and which property it is.
>>>>>>>>>>>
>>>>>>>>>> That can be documented.
>>>>>>>>>>
>>>>>>>>>> Which means all users read the whole documentation, do you think
>>>>>>>>>
>>>>>>>> they
>>>
>>>> do
>>>>>
>>>>>> ?
>>>>>>>>
>>>>>>>>> I guess you know the famous RTFM :-)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Why not make defaults better for usability ?
>>>>>>>>>>>
>>>>>>>>>> Because it compromises security.
>>>>>>>>>>
>>>>>>>>>> Can you give more details ?
>>>>>>>>>
>>>>>>>> The point of a CA is to certify that a certificate chain is valid.
>>>>>>>> Locally generated CA certs do not do this.
>>>>>>>> Once the cert has been approved by the browser, it can be used to
>>>>>>>> certify anything, including a spoof bank site etc.
>>>>>>>>
>>>>>>>> JMeter users may not understand that, and so may not take sufficient
>>>>>>>> care of the certificate and its password.
>>>>>>>> Or they may forget that the cert has been added to the browser.
>>>>>>>>
>>>>>>>> Even some official CAs have inadvertently exposed their certs.
>>>>>>>>
>>>>>>>> I don't think we should ship JMeter with deliberately weak settings.
>>>>>>>>
>>>>>>>> Yes it may be inconvenient, but it is deliberately done to minimise
>>>>>>>> the effects of accidental certificate exposure.
>>>>>>>>
>>>>>>>> Users that understand the risks can override the setting, but that
>>>>>>>> is
>>>>>>>> at their own risk.
>>>>>>>>
>>>>>>>> Remember that once the browser has stored the CA, it will be active
>>>>>>>> regardless of whether JMeter is actually being used.
>>>>>>>> So the sooner it expires, the safer it is.
>>>>>>>> Maybe a week is too *long*.
>>>>>>>>
>>>>>>>> I am aware of that, but it means attacker has accessed the machine
>>>>>>> of
>>>>>>>
>>>>>> user
>>>>>
>>>>>> to get the CA.
>>>>>>> So the JMeter side is only a consequence, not root cause
>>>>>>>
>>>>>>
>>>>>> The risk is the same if the duration is 7 days or 3 months, because
>>>>>> the
>>>>>>
>>>>> attacker need to have access to the private key of the temp JMeter CA
>>>>>
>>>> root
>>>
>>>> to generate some fake cert signed by the CA. This private key is on the
>>>>> machine (keystore.jks)
>>>>>
>>>>>> And if an attacker have already an access to the machine, it's can add
>>>>>>
>>>>> directly another CA (not JMeter CA) into the certs vault on the
>>>>>
>>>> machine, to
>>>
>>>> made some malicious opérations...
>>>>>
>>>>>> 3 months seems good for me (this is the mean duration for my load test
>>>>>>
>>>>> missions)
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> It looks like 3 months would be good for Bruno, Antonio, me.
>>>>>>>>>>> Is it really a blocker for you ? if yes why ?
>>>>>>>>>>>
>>>>>>>>>> As above.
>>>>>>>>>>
>>>>>>>>>> @Others what's your opinion ?
>>>>>>>>>>>
>>>>>>>>>>> Thanks
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Thu, Jul 19, 2018 at 10:55 AM, sebb <se...@gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> It's a trade-off between convenience and security.
>>>>>>>>>>>>
>>>>>>>>>>>> It's risky adding the certificate to the browser.
>>>>>>>>>>>>
>>>>>>>>>>>> I don't think the default should be changed.
>>>>>>>>>>>>
>>>>>>>>>>>> Users can always change it themselves if they accept the risks.
>>>>>>>>>>>> E.g. if they use a separate browser installation that has
>>>>>>>>>>>>
>>>>>>>>>>> certificate,
>>>>>>>>
>>>>>>>>> then a longer validity is more sensible.
>>>>>>>>>>>> It's too easy to forget that the cert has been added to the
>>>>>>>>>>>>
>>>>>>>>>>> browser.
>>>>>
>>>>>> S.
>>>>>>>>>>>> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <
>>>>>>>>>>>>
>>>>>>>>>>> ra0077@gmail.com>
>>>>>
>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> +1 for me
>>>>>>>>>>>>>
>>>>>>>>>>>>> Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
>>>>>>>>>>>>> p.mouawad@ubik-ingenierie.com> a écrit :
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>> Currently :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>    - proxy.cert.validity=7
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> This is annoying for users who must remember to add the ROOT
>>>>>>>>>>>>>>
>>>>>>>>>>>>> JMeter
>>>>>>>>
>>>>>>>>> certificate to browser every week .
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I would suggest setting it to 1 year or at least 1 month.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Regards
>>>>>>>>>>>>>> Philippe
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Cordialement.
>>>>>>>>>>> Philippe Mouawad.
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Cordialement.
>>>>>>>>> Philippe Mouawad.
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>
>>>> --
>>>> Cordialement.
>>>> Philippe Mouawad.
>>>>
>>>
>>
>>
>


-- 
Cordialement.
Philippe Mouawad.

Re: Increase validity duration of JMeter Root CA

[Felix Schumacher <fe...@internetallee.de>]

Would the addition of such a message remove the need for a longer 
default period?

Or should we even let the user decide on generation how long it should 
be valid? (with a short default like the seven days we currently have.)

Felix


Am 19.07.2018 um 15:06 schrieb Philippe Mouawad:
> What ????
> You didn't read the manual :-) ?????
>
>
> Just kidding :-)
>
> Thanks for your ideas
>
> On Thu, Jul 19, 2018 at 3:05 PM, Srijon Das <sr...@gmail.com> wrote:
>
>> I was not aware that it is a configuration.
>>
>> Usually I see a pop-up which mentions that certificate is valid for 7
>> days. Maybe we could mention that changing the config proxy.cert.validity
>> will change the validity of the certificate.
>>
>> Sent from my iPhone
>>
>>> On Jul 19, 2018, at 5:53 AM, Philippe Mouawad <
>> philippe.mouawad@gmail.com> wrote:
>>> Hello,
>>> See:
>>> http://jmeter.apache.org/usermanual/properties_
>> reference.html#test_script_recorder_cert
>>> The property is:
>>> proxy.cert.validity
>>>
>>> How would you like it improved ?
>>>
>>> Thanks
>>>
>>>> On Thu, Jul 19, 2018 at 2:50 PM, Srijon Das <sr...@gmail.com>
>> wrote:
>>>> As a longtime jmeter user, I would like the option to decide how long my
>>>> certificates will be valid, 1 week, 2 weeks, 3 weeks etc.  And perhaps a
>>>> warning describing the consequences of the security vulnerabilities.
>>>>
>>>> Most jmeter users, I feel will be in a position to judge the security
>> risk
>>>> themselves and use the certificate accordingly.
>>>>
>>>> Sent from my iPhone
>>>>
>>>>> On Jul 19, 2018, at 4:06 AM, Milamber <mi...@apache.org> wrote:
>>>>>
>>>>>
>>>>>
>>>>>>> On 19/07/2018 11:03, Philippe Mouawad wrote:
>>>>>>> On Thu, Jul 19, 2018 at 11:56 AM, sebb <se...@gmail.com> wrote:
>>>>>>>
>>>>>>> On 19 July 2018 at 10:34, Philippe Mouawad <
>> philippe.mouawad@gmail.com
>>>>>>> wrote:
>>>>>>>>> On Thu, Jul 19, 2018 at 11:31 AM, sebb <se...@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>> On 19 July 2018 at 10:28, Philippe Mouawad <
>>>> philippe.mouawad@gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>> Hello sebb,
>>>>>>>>>>
>>>>>>>>>> Yes users can change, but once again, it means adjusting defaults,
>>>>>>>>> knowing
>>>>>>>>>> they can be adjusted and which property it is.
>>>>>>>>> That can be documented.
>>>>>>>>>
>>>>>>>> Which means all users read the whole documentation, do you think
>> they
>>>> do
>>>>>>> ?
>>>>>>>> I guess you know the famous RTFM :-)
>>>>>>>>
>>>>>>>>
>>>>>>>>>> Why not make defaults better for usability ?
>>>>>>>>> Because it compromises security.
>>>>>>>>>
>>>>>>>> Can you give more details ?
>>>>>>> The point of a CA is to certify that a certificate chain is valid.
>>>>>>> Locally generated CA certs do not do this.
>>>>>>> Once the cert has been approved by the browser, it can be used to
>>>>>>> certify anything, including a spoof bank site etc.
>>>>>>>
>>>>>>> JMeter users may not understand that, and so may not take sufficient
>>>>>>> care of the certificate and its password.
>>>>>>> Or they may forget that the cert has been added to the browser.
>>>>>>>
>>>>>>> Even some official CAs have inadvertently exposed their certs.
>>>>>>>
>>>>>>> I don't think we should ship JMeter with deliberately weak settings.
>>>>>>>
>>>>>>> Yes it may be inconvenient, but it is deliberately done to minimise
>>>>>>> the effects of accidental certificate exposure.
>>>>>>>
>>>>>>> Users that understand the risks can override the setting, but that is
>>>>>>> at their own risk.
>>>>>>>
>>>>>>> Remember that once the browser has stored the CA, it will be active
>>>>>>> regardless of whether JMeter is actually being used.
>>>>>>> So the sooner it expires, the safer it is.
>>>>>>> Maybe a week is too *long*.
>>>>>>>
>>>>>> I am aware of that, but it means attacker has accessed the machine of
>>>> user
>>>>>> to get the CA.
>>>>>> So the JMeter side is only a consequence, not root cause
>>>>>
>>>>> The risk is the same if the duration is 7 days or 3 months, because the
>>>> attacker need to have access to the private key of the temp JMeter CA
>> root
>>>> to generate some fake cert signed by the CA. This private key is on the
>>>> machine (keystore.jks)
>>>>> And if an attacker have already an access to the machine, it's can add
>>>> directly another CA (not JMeter CA) into the certs vault on the
>> machine, to
>>>> made some malicious opérations...
>>>>> 3 months seems good for me (this is the mean duration for my load test
>>>> missions)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>>>> It looks like 3 months would be good for Bruno, Antonio, me.
>>>>>>>>>> Is it really a blocker for you ? if yes why ?
>>>>>>>>> As above.
>>>>>>>>>
>>>>>>>>>> @Others what's your opinion ?
>>>>>>>>>>
>>>>>>>>>> Thanks
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> On Thu, Jul 19, 2018 at 10:55 AM, sebb <se...@gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>> It's a trade-off between convenience and security.
>>>>>>>>>>>
>>>>>>>>>>> It's risky adding the certificate to the browser.
>>>>>>>>>>>
>>>>>>>>>>> I don't think the default should be changed.
>>>>>>>>>>>
>>>>>>>>>>> Users can always change it themselves if they accept the risks.
>>>>>>>>>>> E.g. if they use a separate browser installation that has
>>>>>>> certificate,
>>>>>>>>>>> then a longer validity is more sensible.
>>>>>>>>>>> It's too easy to forget that the cert has been added to the
>>>> browser.
>>>>>>>>>>> S.
>>>>>>>>>>> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <
>>>> ra0077@gmail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>> +1 for me
>>>>>>>>>>>>
>>>>>>>>>>>> Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
>>>>>>>>>>>> p.mouawad@ubik-ingenierie.com> a écrit :
>>>>>>>>>>>>
>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>> Currently :
>>>>>>>>>>>>>
>>>>>>>>>>>>>    - proxy.cert.validity=7
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> This is annoying for users who must remember to add the ROOT
>>>>>>> JMeter
>>>>>>>>>>>>> certificate to browser every week .
>>>>>>>>>>>>>
>>>>>>>>>>>>> I would suggest setting it to 1 year or at least 1 month.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Regards
>>>>>>>>>>>>> Philippe
>>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Cordialement.
>>>>>>>>>> Philippe Mouawad.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Cordialement.
>>>>>>>> Philippe Mouawad.
>>>>>>
>>>
>>>
>>> --
>>> Cordialement.
>>> Philippe Mouawad.
>
>

Re: Increase validity duration of JMeter Root CA

[Philippe Mouawad <ph...@gmail.com>]

What ????
You didn't read the manual :-) ?????


Just kidding :-)

Thanks for your ideas

On Thu, Jul 19, 2018 at 3:05 PM, Srijon Das <sr...@gmail.com> wrote:

> I was not aware that it is a configuration.
>
> Usually I see a pop-up which mentions that certificate is valid for 7
> days. Maybe we could mention that changing the config proxy.cert.validity
> will change the validity of the certificate.
>
> Sent from my iPhone
>
> > On Jul 19, 2018, at 5:53 AM, Philippe Mouawad <
> philippe.mouawad@gmail.com> wrote:
> >
> > Hello,
> > See:
> > http://jmeter.apache.org/usermanual/properties_
> reference.html#test_script_recorder_cert
> >
> > The property is:
> > proxy.cert.validity
> >
> > How would you like it improved ?
> >
> > Thanks
> >
> >> On Thu, Jul 19, 2018 at 2:50 PM, Srijon Das <sr...@gmail.com>
> wrote:
> >>
> >> As a longtime jmeter user, I would like the option to decide how long my
> >> certificates will be valid, 1 week, 2 weeks, 3 weeks etc.  And perhaps a
> >> warning describing the consequences of the security vulnerabilities.
> >>
> >> Most jmeter users, I feel will be in a position to judge the security
> risk
> >> themselves and use the certificate accordingly.
> >>
> >> Sent from my iPhone
> >>
> >>> On Jul 19, 2018, at 4:06 AM, Milamber <mi...@apache.org> wrote:
> >>>
> >>>
> >>>
> >>>>> On 19/07/2018 11:03, Philippe Mouawad wrote:
> >>>>> On Thu, Jul 19, 2018 at 11:56 AM, sebb <se...@gmail.com> wrote:
> >>>>>
> >>>>> On 19 July 2018 at 10:34, Philippe Mouawad <
> philippe.mouawad@gmail.com
> >>>
> >>>>> wrote:
> >>>>>>> On Thu, Jul 19, 2018 at 11:31 AM, sebb <se...@gmail.com> wrote:
> >>>>>>>
> >>>>>>> On 19 July 2018 at 10:28, Philippe Mouawad <
> >> philippe.mouawad@gmail.com>
> >>>>>>> wrote:
> >>>>>>>> Hello sebb,
> >>>>>>>>
> >>>>>>>> Yes users can change, but once again, it means adjusting defaults,
> >>>>>>> knowing
> >>>>>>>> they can be adjusted and which property it is.
> >>>>>>> That can be documented.
> >>>>>>>
> >>>>>> Which means all users read the whole documentation, do you think
> they
> >> do
> >>>>> ?
> >>>>>> I guess you know the famous RTFM :-)
> >>>>>>
> >>>>>>
> >>>>>>>> Why not make defaults better for usability ?
> >>>>>>> Because it compromises security.
> >>>>>>>
> >>>>>> Can you give more details ?
> >>>>> The point of a CA is to certify that a certificate chain is valid.
> >>>>> Locally generated CA certs do not do this.
> >>>>> Once the cert has been approved by the browser, it can be used to
> >>>>> certify anything, including a spoof bank site etc.
> >>>>>
> >>>>> JMeter users may not understand that, and so may not take sufficient
> >>>>> care of the certificate and its password.
> >>>>> Or they may forget that the cert has been added to the browser.
> >>>>>
> >>>>> Even some official CAs have inadvertently exposed their certs.
> >>>>>
> >>>>> I don't think we should ship JMeter with deliberately weak settings.
> >>>>>
> >>>>> Yes it may be inconvenient, but it is deliberately done to minimise
> >>>>> the effects of accidental certificate exposure.
> >>>>>
> >>>>> Users that understand the risks can override the setting, but that is
> >>>>> at their own risk.
> >>>>>
> >>>>> Remember that once the browser has stored the CA, it will be active
> >>>>> regardless of whether JMeter is actually being used.
> >>>>> So the sooner it expires, the safer it is.
> >>>>> Maybe a week is too *long*.
> >>>>>
> >>>> I am aware of that, but it means attacker has accessed the machine of
> >> user
> >>>> to get the CA.
> >>>> So the JMeter side is only a consequence, not root cause
> >>>
> >>>
> >>> The risk is the same if the duration is 7 days or 3 months, because the
> >> attacker need to have access to the private key of the temp JMeter CA
> root
> >> to generate some fake cert signed by the CA. This private key is on the
> >> machine (keystore.jks)
> >>> And if an attacker have already an access to the machine, it's can add
> >> directly another CA (not JMeter CA) into the certs vault on the
> machine, to
> >> made some malicious opérations...
> >>>
> >>> 3 months seems good for me (this is the mean duration for my load test
> >> missions)
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>
> >>>>>>>> It looks like 3 months would be good for Bruno, Antonio, me.
> >>>>>>>> Is it really a blocker for you ? if yes why ?
> >>>>>>> As above.
> >>>>>>>
> >>>>>>>> @Others what's your opinion ?
> >>>>>>>>
> >>>>>>>> Thanks
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>> On Thu, Jul 19, 2018 at 10:55 AM, sebb <se...@gmail.com> wrote:
> >>>>>>>>>
> >>>>>>>>> It's a trade-off between convenience and security.
> >>>>>>>>>
> >>>>>>>>> It's risky adding the certificate to the browser.
> >>>>>>>>>
> >>>>>>>>> I don't think the default should be changed.
> >>>>>>>>>
> >>>>>>>>> Users can always change it themselves if they accept the risks.
> >>>>>>>>> E.g. if they use a separate browser installation that has
> >>>>> certificate,
> >>>>>>>>> then a longer validity is more sensible.
> >>>>>>>>> It's too easy to forget that the cert has been added to the
> >> browser.
> >>>>>>>>>
> >>>>>>>>> S.
> >>>>>>>>> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <
> >> ra0077@gmail.com>
> >>>>>>>>> wrote:
> >>>>>>>>>> +1 for me
> >>>>>>>>>>
> >>>>>>>>>> Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
> >>>>>>>>>> p.mouawad@ubik-ingenierie.com> a écrit :
> >>>>>>>>>>
> >>>>>>>>>>> Hello,
> >>>>>>>>>>> Currently :
> >>>>>>>>>>>
> >>>>>>>>>>>   - proxy.cert.validity=7
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> This is annoying for users who must remember to add the ROOT
> >>>>> JMeter
> >>>>>>>>>>> certificate to browser every week .
> >>>>>>>>>>>
> >>>>>>>>>>> I would suggest setting it to 1 year or at least 1 month.
> >>>>>>>>>>>
> >>>>>>>>>>> Regards
> >>>>>>>>>>> Philippe
> >>>>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> Cordialement.
> >>>>>>>> Philippe Mouawad.
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Cordialement.
> >>>>>> Philippe Mouawad.
> >>>>
> >>>>
> >>>
> >>
> >
> >
> >
> > --
> > Cordialement.
> > Philippe Mouawad.
>



-- 
Cordialement.
Philippe Mouawad.

Re: Increase validity duration of JMeter Root CA

[Srijon Das <sr...@gmail.com>]

I was not aware that it is a configuration. 

Usually I see a pop-up which mentions that certificate is valid for 7 days. Maybe we could mention that changing the config proxy.cert.validity will change the validity of the certificate.

Sent from my iPhone

> On Jul 19, 2018, at 5:53 AM, Philippe Mouawad <ph...@gmail.com> wrote:
> 
> Hello,
> See:
> http://jmeter.apache.org/usermanual/properties_reference.html#test_script_recorder_cert
> 
> The property is:
> proxy.cert.validity
> 
> How would you like it improved ?
> 
> Thanks
> 
>> On Thu, Jul 19, 2018 at 2:50 PM, Srijon Das <sr...@gmail.com> wrote:
>> 
>> As a longtime jmeter user, I would like the option to decide how long my
>> certificates will be valid, 1 week, 2 weeks, 3 weeks etc.  And perhaps a
>> warning describing the consequences of the security vulnerabilities.
>> 
>> Most jmeter users, I feel will be in a position to judge the security risk
>> themselves and use the certificate accordingly.
>> 
>> Sent from my iPhone
>> 
>>> On Jul 19, 2018, at 4:06 AM, Milamber <mi...@apache.org> wrote:
>>> 
>>> 
>>> 
>>>>> On 19/07/2018 11:03, Philippe Mouawad wrote:
>>>>> On Thu, Jul 19, 2018 at 11:56 AM, sebb <se...@gmail.com> wrote:
>>>>> 
>>>>> On 19 July 2018 at 10:34, Philippe Mouawad <philippe.mouawad@gmail.com
>>> 
>>>>> wrote:
>>>>>>> On Thu, Jul 19, 2018 at 11:31 AM, sebb <se...@gmail.com> wrote:
>>>>>>> 
>>>>>>> On 19 July 2018 at 10:28, Philippe Mouawad <
>> philippe.mouawad@gmail.com>
>>>>>>> wrote:
>>>>>>>> Hello sebb,
>>>>>>>> 
>>>>>>>> Yes users can change, but once again, it means adjusting defaults,
>>>>>>> knowing
>>>>>>>> they can be adjusted and which property it is.
>>>>>>> That can be documented.
>>>>>>> 
>>>>>> Which means all users read the whole documentation, do you think they
>> do
>>>>> ?
>>>>>> I guess you know the famous RTFM :-)
>>>>>> 
>>>>>> 
>>>>>>>> Why not make defaults better for usability ?
>>>>>>> Because it compromises security.
>>>>>>> 
>>>>>> Can you give more details ?
>>>>> The point of a CA is to certify that a certificate chain is valid.
>>>>> Locally generated CA certs do not do this.
>>>>> Once the cert has been approved by the browser, it can be used to
>>>>> certify anything, including a spoof bank site etc.
>>>>> 
>>>>> JMeter users may not understand that, and so may not take sufficient
>>>>> care of the certificate and its password.
>>>>> Or they may forget that the cert has been added to the browser.
>>>>> 
>>>>> Even some official CAs have inadvertently exposed their certs.
>>>>> 
>>>>> I don't think we should ship JMeter with deliberately weak settings.
>>>>> 
>>>>> Yes it may be inconvenient, but it is deliberately done to minimise
>>>>> the effects of accidental certificate exposure.
>>>>> 
>>>>> Users that understand the risks can override the setting, but that is
>>>>> at their own risk.
>>>>> 
>>>>> Remember that once the browser has stored the CA, it will be active
>>>>> regardless of whether JMeter is actually being used.
>>>>> So the sooner it expires, the safer it is.
>>>>> Maybe a week is too *long*.
>>>>> 
>>>> I am aware of that, but it means attacker has accessed the machine of
>> user
>>>> to get the CA.
>>>> So the JMeter side is only a consequence, not root cause
>>> 
>>> 
>>> The risk is the same if the duration is 7 days or 3 months, because the
>> attacker need to have access to the private key of the temp JMeter CA root
>> to generate some fake cert signed by the CA. This private key is on the
>> machine (keystore.jks)
>>> And if an attacker have already an access to the machine, it's can add
>> directly another CA (not JMeter CA) into the certs vault on the machine, to
>> made some malicious opérations...
>>> 
>>> 3 months seems good for me (this is the mean duration for my load test
>> missions)
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> 
>>>>>>>> It looks like 3 months would be good for Bruno, Antonio, me.
>>>>>>>> Is it really a blocker for you ? if yes why ?
>>>>>>> As above.
>>>>>>> 
>>>>>>>> @Others what's your opinion ?
>>>>>>>> 
>>>>>>>> Thanks
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>>> On Thu, Jul 19, 2018 at 10:55 AM, sebb <se...@gmail.com> wrote:
>>>>>>>>> 
>>>>>>>>> It's a trade-off between convenience and security.
>>>>>>>>> 
>>>>>>>>> It's risky adding the certificate to the browser.
>>>>>>>>> 
>>>>>>>>> I don't think the default should be changed.
>>>>>>>>> 
>>>>>>>>> Users can always change it themselves if they accept the risks.
>>>>>>>>> E.g. if they use a separate browser installation that has
>>>>> certificate,
>>>>>>>>> then a longer validity is more sensible.
>>>>>>>>> It's too easy to forget that the cert has been added to the
>> browser.
>>>>>>>>> 
>>>>>>>>> S.
>>>>>>>>> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <
>> ra0077@gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>> +1 for me
>>>>>>>>>> 
>>>>>>>>>> Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
>>>>>>>>>> p.mouawad@ubik-ingenierie.com> a écrit :
>>>>>>>>>> 
>>>>>>>>>>> Hello,
>>>>>>>>>>> Currently :
>>>>>>>>>>> 
>>>>>>>>>>>   - proxy.cert.validity=7
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> This is annoying for users who must remember to add the ROOT
>>>>> JMeter
>>>>>>>>>>> certificate to browser every week .
>>>>>>>>>>> 
>>>>>>>>>>> I would suggest setting it to 1 year or at least 1 month.
>>>>>>>>>>> 
>>>>>>>>>>> Regards
>>>>>>>>>>> Philippe
>>>>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> --
>>>>>>>> Cordialement.
>>>>>>>> Philippe Mouawad.
>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> Cordialement.
>>>>>> Philippe Mouawad.
>>>> 
>>>> 
>>> 
>> 
> 
> 
> 
> -- 
> Cordialement.
> Philippe Mouawad.

Re: Increase validity duration of JMeter Root CA

[Philippe Mouawad <ph...@gmail.com>]

Hello,
See:
http://jmeter.apache.org/usermanual/properties_reference.html#test_script_recorder_cert

The property is:
proxy.cert.validity

How would you like it improved ?

Thanks

On Thu, Jul 19, 2018 at 2:50 PM, Srijon Das <sr...@gmail.com> wrote:

> As a longtime jmeter user, I would like the option to decide how long my
> certificates will be valid, 1 week, 2 weeks, 3 weeks etc.  And perhaps a
> warning describing the consequences of the security vulnerabilities.
>
> Most jmeter users, I feel will be in a position to judge the security risk
> themselves and use the certificate accordingly.
>
> Sent from my iPhone
>
> > On Jul 19, 2018, at 4:06 AM, Milamber <mi...@apache.org> wrote:
> >
> >
> >
> >> On 19/07/2018 11:03, Philippe Mouawad wrote:
> >>> On Thu, Jul 19, 2018 at 11:56 AM, sebb <se...@gmail.com> wrote:
> >>>
> >>> On 19 July 2018 at 10:34, Philippe Mouawad <philippe.mouawad@gmail.com
> >
> >>> wrote:
> >>>> On Thu, Jul 19, 2018 at 11:31 AM, sebb <se...@gmail.com> wrote:
> >>>>
> >>>>> On 19 July 2018 at 10:28, Philippe Mouawad <
> philippe.mouawad@gmail.com>
> >>>>> wrote:
> >>>>>> Hello sebb,
> >>>>>>
> >>>>>> Yes users can change, but once again, it means adjusting defaults,
> >>>>> knowing
> >>>>>> they can be adjusted and which property it is.
> >>>>> That can be documented.
> >>>>>
> >>>> Which means all users read the whole documentation, do you think they
> do
> >>> ?
> >>>> I guess you know the famous RTFM :-)
> >>>>
> >>>>
> >>>>>> Why not make defaults better for usability ?
> >>>>> Because it compromises security.
> >>>>>
> >>>> Can you give more details ?
> >>> The point of a CA is to certify that a certificate chain is valid.
> >>> Locally generated CA certs do not do this.
> >>> Once the cert has been approved by the browser, it can be used to
> >>> certify anything, including a spoof bank site etc.
> >>>
> >>> JMeter users may not understand that, and so may not take sufficient
> >>> care of the certificate and its password.
> >>> Or they may forget that the cert has been added to the browser.
> >>>
> >>> Even some official CAs have inadvertently exposed their certs.
> >>>
> >>> I don't think we should ship JMeter with deliberately weak settings.
> >>>
> >>> Yes it may be inconvenient, but it is deliberately done to minimise
> >>> the effects of accidental certificate exposure.
> >>>
> >>> Users that understand the risks can override the setting, but that is
> >>> at their own risk.
> >>>
> >>> Remember that once the browser has stored the CA, it will be active
> >>> regardless of whether JMeter is actually being used.
> >>> So the sooner it expires, the safer it is.
> >>> Maybe a week is too *long*.
> >>>
> >> I am aware of that, but it means attacker has accessed the machine of
> user
> >> to get the CA.
> >> So the JMeter side is only a consequence, not root cause
> >
> >
> > The risk is the same if the duration is 7 days or 3 months, because the
> attacker need to have access to the private key of the temp JMeter CA root
> to generate some fake cert signed by the CA. This private key is on the
> machine (keystore.jks)
> > And if an attacker have already an access to the machine, it's can add
> directly another CA (not JMeter CA) into the certs vault on the machine, to
> made some malicious opérations...
> >
> > 3 months seems good for me (this is the mean duration for my load test
> missions)
> >
> >
> >
> >
> >
> >>
> >>>>>> It looks like 3 months would be good for Bruno, Antonio, me.
> >>>>>> Is it really a blocker for you ? if yes why ?
> >>>>> As above.
> >>>>>
> >>>>>> @Others what's your opinion ?
> >>>>>>
> >>>>>> Thanks
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> On Thu, Jul 19, 2018 at 10:55 AM, sebb <se...@gmail.com> wrote:
> >>>>>>>
> >>>>>>> It's a trade-off between convenience and security.
> >>>>>>>
> >>>>>>> It's risky adding the certificate to the browser.
> >>>>>>>
> >>>>>>> I don't think the default should be changed.
> >>>>>>>
> >>>>>>> Users can always change it themselves if they accept the risks.
> >>>>>>> E.g. if they use a separate browser installation that has
> >>> certificate,
> >>>>>>> then a longer validity is more sensible.
> >>>>>>> It's too easy to forget that the cert has been added to the
> browser.
> >>>>>>>
> >>>>>>> S.
> >>>>>>> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <
> ra0077@gmail.com>
> >>>>>>> wrote:
> >>>>>>>> +1 for me
> >>>>>>>>
> >>>>>>>> Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
> >>>>>>>> p.mouawad@ubik-ingenierie.com> a écrit :
> >>>>>>>>
> >>>>>>>>> Hello,
> >>>>>>>>> Currently :
> >>>>>>>>>
> >>>>>>>>>    - proxy.cert.validity=7
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> This is annoying for users who must remember to add the ROOT
> >>> JMeter
> >>>>>>>>> certificate to browser every week .
> >>>>>>>>>
> >>>>>>>>> I would suggest setting it to 1 year or at least 1 month.
> >>>>>>>>>
> >>>>>>>>> Regards
> >>>>>>>>> Philippe
> >>>>>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Cordialement.
> >>>>>> Philippe Mouawad.
> >>>>
> >>>>
> >>>> --
> >>>> Cordialement.
> >>>> Philippe Mouawad.
> >>
> >>
> >
>



-- 
Cordialement.
Philippe Mouawad.

Re: Increase validity duration of JMeter Root CA

[Srijon Das <sr...@gmail.com>]

As a longtime jmeter user, I would like the option to decide how long my certificates will be valid, 1 week, 2 weeks, 3 weeks etc.  And perhaps a warning describing the consequences of the security vulnerabilities.

Most jmeter users, I feel will be in a position to judge the security risk themselves and use the certificate accordingly.

Sent from my iPhone

> On Jul 19, 2018, at 4:06 AM, Milamber <mi...@apache.org> wrote:
> 
> 
> 
>> On 19/07/2018 11:03, Philippe Mouawad wrote:
>>> On Thu, Jul 19, 2018 at 11:56 AM, sebb <se...@gmail.com> wrote:
>>> 
>>> On 19 July 2018 at 10:34, Philippe Mouawad <ph...@gmail.com>
>>> wrote:
>>>> On Thu, Jul 19, 2018 at 11:31 AM, sebb <se...@gmail.com> wrote:
>>>> 
>>>>> On 19 July 2018 at 10:28, Philippe Mouawad <ph...@gmail.com>
>>>>> wrote:
>>>>>> Hello sebb,
>>>>>> 
>>>>>> Yes users can change, but once again, it means adjusting defaults,
>>>>> knowing
>>>>>> they can be adjusted and which property it is.
>>>>> That can be documented.
>>>>> 
>>>> Which means all users read the whole documentation, do you think they do
>>> ?
>>>> I guess you know the famous RTFM :-)
>>>> 
>>>> 
>>>>>> Why not make defaults better for usability ?
>>>>> Because it compromises security.
>>>>> 
>>>> Can you give more details ?
>>> The point of a CA is to certify that a certificate chain is valid.
>>> Locally generated CA certs do not do this.
>>> Once the cert has been approved by the browser, it can be used to
>>> certify anything, including a spoof bank site etc.
>>> 
>>> JMeter users may not understand that, and so may not take sufficient
>>> care of the certificate and its password.
>>> Or they may forget that the cert has been added to the browser.
>>> 
>>> Even some official CAs have inadvertently exposed their certs.
>>> 
>>> I don't think we should ship JMeter with deliberately weak settings.
>>> 
>>> Yes it may be inconvenient, but it is deliberately done to minimise
>>> the effects of accidental certificate exposure.
>>> 
>>> Users that understand the risks can override the setting, but that is
>>> at their own risk.
>>> 
>>> Remember that once the browser has stored the CA, it will be active
>>> regardless of whether JMeter is actually being used.
>>> So the sooner it expires, the safer it is.
>>> Maybe a week is too *long*.
>>> 
>> I am aware of that, but it means attacker has accessed the machine of user
>> to get the CA.
>> So the JMeter side is only a consequence, not root cause
> 
> 
> The risk is the same if the duration is 7 days or 3 months, because the attacker need to have access to the private key of the temp JMeter CA root to generate some fake cert signed by the CA. This private key is on the machine (keystore.jks)
> And if an attacker have already an access to the machine, it's can add directly another CA (not JMeter CA) into the certs vault on the machine, to made some malicious opérations...
> 
> 3 months seems good for me (this is the mean duration for my load test missions)
> 
> 
> 
> 
> 
>> 
>>>>>> It looks like 3 months would be good for Bruno, Antonio, me.
>>>>>> Is it really a blocker for you ? if yes why ?
>>>>> As above.
>>>>> 
>>>>>> @Others what's your opinion ?
>>>>>> 
>>>>>> Thanks
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>> On Thu, Jul 19, 2018 at 10:55 AM, sebb <se...@gmail.com> wrote:
>>>>>>> 
>>>>>>> It's a trade-off between convenience and security.
>>>>>>> 
>>>>>>> It's risky adding the certificate to the browser.
>>>>>>> 
>>>>>>> I don't think the default should be changed.
>>>>>>> 
>>>>>>> Users can always change it themselves if they accept the risks.
>>>>>>> E.g. if they use a separate browser installation that has
>>> certificate,
>>>>>>> then a longer validity is more sensible.
>>>>>>> It's too easy to forget that the cert has been added to the browser.
>>>>>>> 
>>>>>>> S.
>>>>>>> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <ra...@gmail.com>
>>>>>>> wrote:
>>>>>>>> +1 for me
>>>>>>>> 
>>>>>>>> Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
>>>>>>>> p.mouawad@ubik-ingenierie.com> a écrit :
>>>>>>>> 
>>>>>>>>> Hello,
>>>>>>>>> Currently :
>>>>>>>>> 
>>>>>>>>>    - proxy.cert.validity=7
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> This is annoying for users who must remember to add the ROOT
>>> JMeter
>>>>>>>>> certificate to browser every week .
>>>>>>>>> 
>>>>>>>>> I would suggest setting it to 1 year or at least 1 month.
>>>>>>>>> 
>>>>>>>>> Regards
>>>>>>>>> Philippe
>>>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> Cordialement.
>>>>>> Philippe Mouawad.
>>>> 
>>>> 
>>>> --
>>>> Cordialement.
>>>> Philippe Mouawad.
>> 
>> 
> 

Re: Increase validity duration of JMeter Root CA

[Philippe Mouawad <ph...@gmail.com>]

Hello,
Can you please do that ?

Thank you

On Thu, Jul 19, 2018 at 4:25 PM, sebb <se...@gmail.com> wrote:

> On 19 July 2018 at 12:06, Milamber <mi...@apache.org> wrote:
> >
> >
> > On 19/07/2018 11:03, Philippe Mouawad wrote:
> >>
> >> On Thu, Jul 19, 2018 at 11:56 AM, sebb <se...@gmail.com> wrote:
> >>
> >>> On 19 July 2018 at 10:34, Philippe Mouawad <philippe.mouawad@gmail.com
> >
> >>> wrote:
> >>>>
> >>>> On Thu, Jul 19, 2018 at 11:31 AM, sebb <se...@gmail.com> wrote:
> >>>>
> >>>>> On 19 July 2018 at 10:28, Philippe Mouawad <
> philippe.mouawad@gmail.com>
> >>>>> wrote:
> >>>>>>
> >>>>>> Hello sebb,
> >>>>>>
> >>>>>> Yes users can change, but once again, it means adjusting defaults,
> >>>>>
> >>>>> knowing
> >>>>>>
> >>>>>> they can be adjusted and which property it is.
> >>>>>
> >>>>> That can be documented.
> >>>>>
> >>>> Which means all users read the whole documentation, do you think they
> do
> >>>
> >>> ?
> >>>>
> >>>> I guess you know the famous RTFM :-)
> >>>>
> >>>>
> >>>>>> Why not make defaults better for usability ?
> >>>>>
> >>>>> Because it compromises security.
> >>>>>
> >>>> Can you give more details ?
> >>>
> >>> The point of a CA is to certify that a certificate chain is valid.
> >>> Locally generated CA certs do not do this.
> >>> Once the cert has been approved by the browser, it can be used to
> >>> certify anything, including a spoof bank site etc.
> >>>
> >>> JMeter users may not understand that, and so may not take sufficient
> >>> care of the certificate and its password.
> >>> Or they may forget that the cert has been added to the browser.
> >>>
> >>> Even some official CAs have inadvertently exposed their certs.
> >>>
> >>> I don't think we should ship JMeter with deliberately weak settings.
> >>>
> >>> Yes it may be inconvenient, but it is deliberately done to minimise
> >>> the effects of accidental certificate exposure.
> >>>
> >>> Users that understand the risks can override the setting, but that is
> >>> at their own risk.
> >>>
> >>> Remember that once the browser has stored the CA, it will be active
> >>> regardless of whether JMeter is actually being used.
> >>> So the sooner it expires, the safer it is.
> >>> Maybe a week is too *long*.
> >>>
> >> I am aware of that, but it means attacker has accessed the machine of
> user
> >> to get the CA.
> >> So the JMeter side is only a consequence, not root cause
> >
> >
> >
> > The risk is the same if the duration is 7 days or 3 months, because the
> > attacker need to have access to the private key of the temp JMeter CA
> root
> > to generate some fake cert signed by the CA. This private key is on the
> > machine (keystore.jks)
> > And if an attacker have already an access to the machine, it's can add
> > directly another CA (not JMeter CA) into the certs vault on the machine,
> to
> > made some malicious opérations...
>
> It is quite a bit harder to update the browser cert vault than it is
> to grab a file or two from the JMeter home directory.
> That can be done by a malicious JMX file.
>
> Since it looks like we will not get consensus I suggest we ask the
> security@ mailing list what is the best approach here.
>
> > 3 months seems good for me (this is the mean duration for my load test
> > missions)
> >
> >
> >
> >
> >
> >
> >>
> >>>>>> It looks like 3 months would be good for Bruno, Antonio, me.
> >>>>>> Is it really a blocker for you ? if yes why ?
> >>>>>
> >>>>> As above.
> >>>>>
> >>>>>> @Others what's your opinion ?
> >>>>>>
> >>>>>> Thanks
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On Thu, Jul 19, 2018 at 10:55 AM, sebb <se...@gmail.com> wrote:
> >>>>>>
> >>>>>>> It's a trade-off between convenience and security.
> >>>>>>>
> >>>>>>> It's risky adding the certificate to the browser.
> >>>>>>>
> >>>>>>> I don't think the default should be changed.
> >>>>>>>
> >>>>>>> Users can always change it themselves if they accept the risks.
> >>>>>>> E.g. if they use a separate browser installation that has
> >>>
> >>> certificate,
> >>>>>>>
> >>>>>>> then a longer validity is more sensible.
> >>>>>>> It's too easy to forget that the cert has been added to the
> browser.
> >>>>>>>
> >>>>>>> S.
> >>>>>>> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <
> ra0077@gmail.com>
> >>>>>>> wrote:
> >>>>>>>>
> >>>>>>>> +1 for me
> >>>>>>>>
> >>>>>>>> Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
> >>>>>>>> p.mouawad@ubik-ingenierie.com> a écrit :
> >>>>>>>>
> >>>>>>>>> Hello,
> >>>>>>>>> Currently :
> >>>>>>>>>
> >>>>>>>>>     - proxy.cert.validity=7
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> This is annoying for users who must remember to add the ROOT
> >>>
> >>> JMeter
> >>>>>>>>>
> >>>>>>>>> certificate to browser every week .
> >>>>>>>>>
> >>>>>>>>> I would suggest setting it to 1 year or at least 1 month.
> >>>>>>>>>
> >>>>>>>>> Regards
> >>>>>>>>> Philippe
> >>>>>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Cordialement.
> >>>>>> Philippe Mouawad.
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Cordialement.
> >>>> Philippe Mouawad.
> >>
> >>
> >>
> >
>



-- 
Cordialement.
Philippe Mouawad.

Re: Increase validity duration of JMeter Root CA

[sebb <se...@gmail.com>]

On 19 July 2018 at 12:06, Milamber <mi...@apache.org> wrote:
>
>
> On 19/07/2018 11:03, Philippe Mouawad wrote:
>>
>> On Thu, Jul 19, 2018 at 11:56 AM, sebb <se...@gmail.com> wrote:
>>
>>> On 19 July 2018 at 10:34, Philippe Mouawad <ph...@gmail.com>
>>> wrote:
>>>>
>>>> On Thu, Jul 19, 2018 at 11:31 AM, sebb <se...@gmail.com> wrote:
>>>>
>>>>> On 19 July 2018 at 10:28, Philippe Mouawad <ph...@gmail.com>
>>>>> wrote:
>>>>>>
>>>>>> Hello sebb,
>>>>>>
>>>>>> Yes users can change, but once again, it means adjusting defaults,
>>>>>
>>>>> knowing
>>>>>>
>>>>>> they can be adjusted and which property it is.
>>>>>
>>>>> That can be documented.
>>>>>
>>>> Which means all users read the whole documentation, do you think they do
>>>
>>> ?
>>>>
>>>> I guess you know the famous RTFM :-)
>>>>
>>>>
>>>>>> Why not make defaults better for usability ?
>>>>>
>>>>> Because it compromises security.
>>>>>
>>>> Can you give more details ?
>>>
>>> The point of a CA is to certify that a certificate chain is valid.
>>> Locally generated CA certs do not do this.
>>> Once the cert has been approved by the browser, it can be used to
>>> certify anything, including a spoof bank site etc.
>>>
>>> JMeter users may not understand that, and so may not take sufficient
>>> care of the certificate and its password.
>>> Or they may forget that the cert has been added to the browser.
>>>
>>> Even some official CAs have inadvertently exposed their certs.
>>>
>>> I don't think we should ship JMeter with deliberately weak settings.
>>>
>>> Yes it may be inconvenient, but it is deliberately done to minimise
>>> the effects of accidental certificate exposure.
>>>
>>> Users that understand the risks can override the setting, but that is
>>> at their own risk.
>>>
>>> Remember that once the browser has stored the CA, it will be active
>>> regardless of whether JMeter is actually being used.
>>> So the sooner it expires, the safer it is.
>>> Maybe a week is too *long*.
>>>
>> I am aware of that, but it means attacker has accessed the machine of user
>> to get the CA.
>> So the JMeter side is only a consequence, not root cause
>
>
>
> The risk is the same if the duration is 7 days or 3 months, because the
> attacker need to have access to the private key of the temp JMeter CA root
> to generate some fake cert signed by the CA. This private key is on the
> machine (keystore.jks)
> And if an attacker have already an access to the machine, it's can add
> directly another CA (not JMeter CA) into the certs vault on the machine, to
> made some malicious opérations...

It is quite a bit harder to update the browser cert vault than it is
to grab a file or two from the JMeter home directory.
That can be done by a malicious JMX file.

Since it looks like we will not get consensus I suggest we ask the
security@ mailing list what is the best approach here.

> 3 months seems good for me (this is the mean duration for my load test
> missions)
>
>
>
>
>
>
>>
>>>>>> It looks like 3 months would be good for Bruno, Antonio, me.
>>>>>> Is it really a blocker for you ? if yes why ?
>>>>>
>>>>> As above.
>>>>>
>>>>>> @Others what's your opinion ?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Thu, Jul 19, 2018 at 10:55 AM, sebb <se...@gmail.com> wrote:
>>>>>>
>>>>>>> It's a trade-off between convenience and security.
>>>>>>>
>>>>>>> It's risky adding the certificate to the browser.
>>>>>>>
>>>>>>> I don't think the default should be changed.
>>>>>>>
>>>>>>> Users can always change it themselves if they accept the risks.
>>>>>>> E.g. if they use a separate browser installation that has
>>>
>>> certificate,
>>>>>>>
>>>>>>> then a longer validity is more sensible.
>>>>>>> It's too easy to forget that the cert has been added to the browser.
>>>>>>>
>>>>>>> S.
>>>>>>> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <ra...@gmail.com>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> +1 for me
>>>>>>>>
>>>>>>>> Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
>>>>>>>> p.mouawad@ubik-ingenierie.com> a écrit :
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>> Currently :
>>>>>>>>>
>>>>>>>>>     - proxy.cert.validity=7
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> This is annoying for users who must remember to add the ROOT
>>>
>>> JMeter
>>>>>>>>>
>>>>>>>>> certificate to browser every week .
>>>>>>>>>
>>>>>>>>> I would suggest setting it to 1 year or at least 1 month.
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>> Philippe
>>>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Cordialement.
>>>>>> Philippe Mouawad.
>>>>
>>>>
>>>>
>>>> --
>>>> Cordialement.
>>>> Philippe Mouawad.
>>
>>
>>
>

Re: Increase validity duration of JMeter Root CA

[Milamber <mi...@apache.org>]

On 19/07/2018 11:03, Philippe Mouawad wrote:
> On Thu, Jul 19, 2018 at 11:56 AM, sebb <se...@gmail.com> wrote:
>
>> On 19 July 2018 at 10:34, Philippe Mouawad <ph...@gmail.com>
>> wrote:
>>> On Thu, Jul 19, 2018 at 11:31 AM, sebb <se...@gmail.com> wrote:
>>>
>>>> On 19 July 2018 at 10:28, Philippe Mouawad <ph...@gmail.com>
>>>> wrote:
>>>>> Hello sebb,
>>>>>
>>>>> Yes users can change, but once again, it means adjusting defaults,
>>>> knowing
>>>>> they can be adjusted and which property it is.
>>>> That can be documented.
>>>>
>>> Which means all users read the whole documentation, do you think they do
>> ?
>>> I guess you know the famous RTFM :-)
>>>
>>>
>>>>> Why not make defaults better for usability ?
>>>> Because it compromises security.
>>>>
>>> Can you give more details ?
>> The point of a CA is to certify that a certificate chain is valid.
>> Locally generated CA certs do not do this.
>> Once the cert has been approved by the browser, it can be used to
>> certify anything, including a spoof bank site etc.
>>
>> JMeter users may not understand that, and so may not take sufficient
>> care of the certificate and its password.
>> Or they may forget that the cert has been added to the browser.
>>
>> Even some official CAs have inadvertently exposed their certs.
>>
>> I don't think we should ship JMeter with deliberately weak settings.
>>
>> Yes it may be inconvenient, but it is deliberately done to minimise
>> the effects of accidental certificate exposure.
>>
>> Users that understand the risks can override the setting, but that is
>> at their own risk.
>>
>> Remember that once the browser has stored the CA, it will be active
>> regardless of whether JMeter is actually being used.
>> So the sooner it expires, the safer it is.
>> Maybe a week is too *long*.
>>
> I am aware of that, but it means attacker has accessed the machine of user
> to get the CA.
> So the JMeter side is only a consequence, not root cause


The risk is the same if the duration is 7 days or 3 months, because the 
attacker need to have access to the private key of the temp JMeter CA 
root to generate some fake cert signed by the CA. This private key is on 
the machine (keystore.jks)
And if an attacker have already an access to the machine, it's can add 
directly another CA (not JMeter CA) into the certs vault on the machine, 
to made some malicious opérations...

3 months seems good for me (this is the mean duration for my load test 
missions)





>
>>>>> It looks like 3 months would be good for Bruno, Antonio, me.
>>>>> Is it really a blocker for you ? if yes why ?
>>>> As above.
>>>>
>>>>> @Others what's your opinion ?
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Jul 19, 2018 at 10:55 AM, sebb <se...@gmail.com> wrote:
>>>>>
>>>>>> It's a trade-off between convenience and security.
>>>>>>
>>>>>> It's risky adding the certificate to the browser.
>>>>>>
>>>>>> I don't think the default should be changed.
>>>>>>
>>>>>> Users can always change it themselves if they accept the risks.
>>>>>> E.g. if they use a separate browser installation that has
>> certificate,
>>>>>> then a longer validity is more sensible.
>>>>>> It's too easy to forget that the cert has been added to the browser.
>>>>>>
>>>>>> S.
>>>>>> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <ra...@gmail.com>
>>>>>> wrote:
>>>>>>> +1 for me
>>>>>>>
>>>>>>> Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
>>>>>>> p.mouawad@ubik-ingenierie.com> a écrit :
>>>>>>>
>>>>>>>> Hello,
>>>>>>>> Currently :
>>>>>>>>
>>>>>>>>     - proxy.cert.validity=7
>>>>>>>>
>>>>>>>>
>>>>>>>> This is annoying for users who must remember to add the ROOT
>> JMeter
>>>>>>>> certificate to browser every week .
>>>>>>>>
>>>>>>>> I would suggest setting it to 1 year or at least 1 month.
>>>>>>>>
>>>>>>>> Regards
>>>>>>>> Philippe
>>>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Cordialement.
>>>>> Philippe Mouawad.
>>>
>>>
>>> --
>>> Cordialement.
>>> Philippe Mouawad.
>
>

Re: Increase validity duration of JMeter Root CA

[Philippe Mouawad <ph...@gmail.com>]

On Thu, Jul 19, 2018 at 11:56 AM, sebb <se...@gmail.com> wrote:

> On 19 July 2018 at 10:34, Philippe Mouawad <ph...@gmail.com>
> wrote:
> > On Thu, Jul 19, 2018 at 11:31 AM, sebb <se...@gmail.com> wrote:
> >
> >> On 19 July 2018 at 10:28, Philippe Mouawad <ph...@gmail.com>
> >> wrote:
> >> > Hello sebb,
> >> >
> >> > Yes users can change, but once again, it means adjusting defaults,
> >> knowing
> >> > they can be adjusted and which property it is.
> >>
> >> That can be documented.
> >>
> >
> > Which means all users read the whole documentation, do you think they do
> ?
> > I guess you know the famous RTFM :-)
> >
> >
> >> > Why not make defaults better for usability ?
> >>
> >> Because it compromises security.
> >>
> >
> > Can you give more details ?
>
> The point of a CA is to certify that a certificate chain is valid.
> Locally generated CA certs do not do this.
> Once the cert has been approved by the browser, it can be used to
> certify anything, including a spoof bank site etc.
>
> JMeter users may not understand that, and so may not take sufficient
> care of the certificate and its password.
> Or they may forget that the cert has been added to the browser.
>
> Even some official CAs have inadvertently exposed their certs.
>
> I don't think we should ship JMeter with deliberately weak settings.
>
> Yes it may be inconvenient, but it is deliberately done to minimise
> the effects of accidental certificate exposure.
>
> Users that understand the risks can override the setting, but that is
> at their own risk.
>
> Remember that once the browser has stored the CA, it will be active
> regardless of whether JMeter is actually being used.
> So the sooner it expires, the safer it is.
> Maybe a week is too *long*.
>

I am aware of that, but it means attacker has accessed the machine of user
to get the CA.
So the JMeter side is only a consequence, not root cause

>
> >
> >>
> >> > It looks like 3 months would be good for Bruno, Antonio, me.
> >> > Is it really a blocker for you ? if yes why ?
> >>
> >> As above.
> >>
> >> > @Others what's your opinion ?
> >> >
> >> > Thanks
> >> >
> >> >
> >> >
> >> > On Thu, Jul 19, 2018 at 10:55 AM, sebb <se...@gmail.com> wrote:
> >> >
> >> >> It's a trade-off between convenience and security.
> >> >>
> >> >> It's risky adding the certificate to the browser.
> >> >>
> >> >> I don't think the default should be changed.
> >> >>
> >> >> Users can always change it themselves if they accept the risks.
> >> >> E.g. if they use a separate browser installation that has
> certificate,
> >> >> then a longer validity is more sensible.
> >> >> It's too easy to forget that the cert has been added to the browser.
> >> >>
> >> >> S.
> >> >> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <ra...@gmail.com>
> >> >> wrote:
> >> >> > +1 for me
> >> >> >
> >> >> > Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
> >> >> > p.mouawad@ubik-ingenierie.com> a écrit :
> >> >> >
> >> >> >> Hello,
> >> >> >> Currently :
> >> >> >>
> >> >> >>    - proxy.cert.validity=7
> >> >> >>
> >> >> >>
> >> >> >> This is annoying for users who must remember to add the ROOT
> JMeter
> >> >> >> certificate to browser every week .
> >> >> >>
> >> >> >> I would suggest setting it to 1 year or at least 1 month.
> >> >> >>
> >> >> >> Regards
> >> >> >> Philippe
> >> >> >>
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > Cordialement.
> >> > Philippe Mouawad.
> >>
> >
> >
> >
> > --
> > Cordialement.
> > Philippe Mouawad.
>



-- 
Cordialement.
Philippe Mouawad.

Re: Increase validity duration of JMeter Root CA

[sebb <se...@gmail.com>]

On 19 July 2018 at 10:34, Philippe Mouawad <ph...@gmail.com> wrote:
> On Thu, Jul 19, 2018 at 11:31 AM, sebb <se...@gmail.com> wrote:
>
>> On 19 July 2018 at 10:28, Philippe Mouawad <ph...@gmail.com>
>> wrote:
>> > Hello sebb,
>> >
>> > Yes users can change, but once again, it means adjusting defaults,
>> knowing
>> > they can be adjusted and which property it is.
>>
>> That can be documented.
>>
>
> Which means all users read the whole documentation, do you think they do ?
> I guess you know the famous RTFM :-)
>
>
>> > Why not make defaults better for usability ?
>>
>> Because it compromises security.
>>
>
> Can you give more details ?

The point of a CA is to certify that a certificate chain is valid.
Locally generated CA certs do not do this.
Once the cert has been approved by the browser, it can be used to
certify anything, including a spoof bank site etc.

JMeter users may not understand that, and so may not take sufficient
care of the certificate and its password.
Or they may forget that the cert has been added to the browser.

Even some official CAs have inadvertently exposed their certs.

I don't think we should ship JMeter with deliberately weak settings.

Yes it may be inconvenient, but it is deliberately done to minimise
the effects of accidental certificate exposure.

Users that understand the risks can override the setting, but that is
at their own risk.

Remember that once the browser has stored the CA, it will be active
regardless of whether JMeter is actually being used.
So the sooner it expires, the safer it is.
Maybe a week is too *long*.

>
>>
>> > It looks like 3 months would be good for Bruno, Antonio, me.
>> > Is it really a blocker for you ? if yes why ?
>>
>> As above.
>>
>> > @Others what's your opinion ?
>> >
>> > Thanks
>> >
>> >
>> >
>> > On Thu, Jul 19, 2018 at 10:55 AM, sebb <se...@gmail.com> wrote:
>> >
>> >> It's a trade-off between convenience and security.
>> >>
>> >> It's risky adding the certificate to the browser.
>> >>
>> >> I don't think the default should be changed.
>> >>
>> >> Users can always change it themselves if they accept the risks.
>> >> E.g. if they use a separate browser installation that has certificate,
>> >> then a longer validity is more sensible.
>> >> It's too easy to forget that the cert has been added to the browser.
>> >>
>> >> S.
>> >> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <ra...@gmail.com>
>> >> wrote:
>> >> > +1 for me
>> >> >
>> >> > Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
>> >> > p.mouawad@ubik-ingenierie.com> a écrit :
>> >> >
>> >> >> Hello,
>> >> >> Currently :
>> >> >>
>> >> >>    - proxy.cert.validity=7
>> >> >>
>> >> >>
>> >> >> This is annoying for users who must remember to add the ROOT JMeter
>> >> >> certificate to browser every week .
>> >> >>
>> >> >> I would suggest setting it to 1 year or at least 1 month.
>> >> >>
>> >> >> Regards
>> >> >> Philippe
>> >> >>
>> >>
>> >
>> >
>> >
>> > --
>> > Cordialement.
>> > Philippe Mouawad.
>>
>
>
>
> --
> Cordialement.
> Philippe Mouawad.

Re: Increase validity duration of JMeter Root CA

[Philippe Mouawad <ph...@gmail.com>]

On Thu, Jul 19, 2018 at 11:31 AM, sebb <se...@gmail.com> wrote:

> On 19 July 2018 at 10:28, Philippe Mouawad <ph...@gmail.com>
> wrote:
> > Hello sebb,
> >
> > Yes users can change, but once again, it means adjusting defaults,
> knowing
> > they can be adjusted and which property it is.
>
> That can be documented.
>

Which means all users read the whole documentation, do you think they do ?
I guess you know the famous RTFM :-)


> > Why not make defaults better for usability ?
>
> Because it compromises security.
>

Can you give more details ?


>
> > It looks like 3 months would be good for Bruno, Antonio, me.
> > Is it really a blocker for you ? if yes why ?
>
> As above.
>
> > @Others what's your opinion ?
> >
> > Thanks
> >
> >
> >
> > On Thu, Jul 19, 2018 at 10:55 AM, sebb <se...@gmail.com> wrote:
> >
> >> It's a trade-off between convenience and security.
> >>
> >> It's risky adding the certificate to the browser.
> >>
> >> I don't think the default should be changed.
> >>
> >> Users can always change it themselves if they accept the risks.
> >> E.g. if they use a separate browser installation that has certificate,
> >> then a longer validity is more sensible.
> >> It's too easy to forget that the cert has been added to the browser.
> >>
> >> S.
> >> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <ra...@gmail.com>
> >> wrote:
> >> > +1 for me
> >> >
> >> > Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
> >> > p.mouawad@ubik-ingenierie.com> a écrit :
> >> >
> >> >> Hello,
> >> >> Currently :
> >> >>
> >> >>    - proxy.cert.validity=7
> >> >>
> >> >>
> >> >> This is annoying for users who must remember to add the ROOT JMeter
> >> >> certificate to browser every week .
> >> >>
> >> >> I would suggest setting it to 1 year or at least 1 month.
> >> >>
> >> >> Regards
> >> >> Philippe
> >> >>
> >>
> >
> >
> >
> > --
> > Cordialement.
> > Philippe Mouawad.
>



-- 
Cordialement.
Philippe Mouawad.

Re: Increase validity duration of JMeter Root CA

[sebb <se...@gmail.com>]

On 19 July 2018 at 10:28, Philippe Mouawad <ph...@gmail.com> wrote:
> Hello sebb,
>
> Yes users can change, but once again, it means adjusting defaults, knowing
> they can be adjusted and which property it is.

That can be documented.

> Why not make defaults better for usability ?

Because it compromises security.

> It looks like 3 months would be good for Bruno, Antonio, me.
> Is it really a blocker for you ? if yes why ?

As above.

> @Others what's your opinion ?
>
> Thanks
>
>
>
> On Thu, Jul 19, 2018 at 10:55 AM, sebb <se...@gmail.com> wrote:
>
>> It's a trade-off between convenience and security.
>>
>> It's risky adding the certificate to the browser.
>>
>> I don't think the default should be changed.
>>
>> Users can always change it themselves if they accept the risks.
>> E.g. if they use a separate browser installation that has certificate,
>> then a longer validity is more sensible.
>> It's too easy to forget that the cert has been added to the browser.
>>
>> S.
>> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <ra...@gmail.com>
>> wrote:
>> > +1 for me
>> >
>> > Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
>> > p.mouawad@ubik-ingenierie.com> a écrit :
>> >
>> >> Hello,
>> >> Currently :
>> >>
>> >>    - proxy.cert.validity=7
>> >>
>> >>
>> >> This is annoying for users who must remember to add the ROOT JMeter
>> >> certificate to browser every week .
>> >>
>> >> I would suggest setting it to 1 year or at least 1 month.
>> >>
>> >> Regards
>> >> Philippe
>> >>
>>
>
>
>
> --
> Cordialement.
> Philippe Mouawad.

Re: Increase validity duration of JMeter Root CA

[Philippe Mouawad <ph...@gmail.com>]

Hello sebb,

Yes users can change, but once again, it means adjusting defaults, knowing
they can be adjusted and which property it is.

Why not make defaults better for usability ?

It looks like 3 months would be good for Bruno, Antonio, me.
Is it really a blocker for you ? if yes why ?

@Others what's your opinion ?

Thanks



On Thu, Jul 19, 2018 at 10:55 AM, sebb <se...@gmail.com> wrote:

> It's a trade-off between convenience and security.
>
> It's risky adding the certificate to the browser.
>
> I don't think the default should be changed.
>
> Users can always change it themselves if they accept the risks.
> E.g. if they use a separate browser installation that has certificate,
> then a longer validity is more sensible.
> It's too easy to forget that the cert has been added to the browser.
>
> S.
> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <ra...@gmail.com>
> wrote:
> > +1 for me
> >
> > Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
> > p.mouawad@ubik-ingenierie.com> a écrit :
> >
> >> Hello,
> >> Currently :
> >>
> >>    - proxy.cert.validity=7
> >>
> >>
> >> This is annoying for users who must remember to add the ROOT JMeter
> >> certificate to browser every week .
> >>
> >> I would suggest setting it to 1 year or at least 1 month.
> >>
> >> Regards
> >> Philippe
> >>
>



-- 
Cordialement.
Philippe Mouawad.

Re: Increase validity duration of JMeter Root CA

[sebb <se...@gmail.com>]

It's a trade-off between convenience and security.

It's risky adding the certificate to the browser.

I don't think the default should be changed.

Users can always change it themselves if they accept the risks.
E.g. if they use a separate browser installation that has certificate,
then a longer validity is more sensible.
It's too easy to forget that the cert has been added to the browser.

S.
On 19 July 2018 at 09:35, Antonio Gomes Rodrigues <ra...@gmail.com> wrote:
> +1 for me
>
> Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
> p.mouawad@ubik-ingenierie.com> a écrit :
>
>> Hello,
>> Currently :
>>
>>    - proxy.cert.validity=7
>>
>>
>> This is annoying for users who must remember to add the ROOT JMeter
>> certificate to browser every week .
>>
>> I would suggest setting it to 1 year or at least 1 month.
>>
>> Regards
>> Philippe
>>

Re: Increase validity duration of JMeter Root CA

[Antonio Gomes Rodrigues <ra...@gmail.com>]

+1 for me

Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad <
p.mouawad@ubik-ingenierie.com> a écrit :

> Hello,
> Currently :
>
>    - proxy.cert.validity=7
>
>
> This is annoying for users who must remember to add the ROOT JMeter
> certificate to browser every week .
>
> I would suggest setting it to 1 year or at least 1 month.
>
> Regards
> Philippe
>