Forum Discussion

adipose's avatar
adipose
Brass Contributor
May 02, 2019

Ability to save passwords for sites with invalid SSL certs

See here for a bug that has been ignored by Google for 4.5 years:   https://bugs.chromium.org/p/chromium/issues/detail?id=431618   The ability to save passwords for sites is a convenience that mo...
wr-pdx's avatar
wr-pdx
Copper Contributor

I just ran across this after upgrading to the newest version of M$ edge, which apparently uses some sort of chromium open source code as its base. now sites with invalid ssl certs, because they were self-signed, are not allowed to remember username or password or save auto-login feature. this is a pain in the **bleep**, as I now have to use a different browser, or obtain valid certificates for everything I manage, which may be internal, and not exactly require a CA-signed cert. this needs to be fixed or more flexible. I even imported the self signed cert into the user and machine certificate stores under trusted CA certificates, and it doesn't change behavior. Major PIA! it would be well-intentioned if I made you recite a secret password before you could use a key in your house door, so your house could verify it was you who had the key, but I don't think you would like me for my well-intentioned security overtures!

Eric_Lawrence's avatar
Eric_Lawrence
Icon for Microsoft rankMicrosoft
Feb 25, 2021
If the Self-Signed certificate is properly imported into the Trusted CA store, and if there are no other errors in the certificate (e.g. expired, name mismatch, etc), then the site will load without errors or security warnings in Edge, and the password manager will permit you to save the password for later use.
  • goodwill1120's avatar
    goodwill1120
    Copper Contributor
    Feb 28, 2021

    Eric_Lawrence We are not asking for a workaround. Of coz I know make my cert valid is going to solve this. The problem is there are plenty of reasons why the cert is invalid and they can be perfectly intentional (or I should say not something I consider need to fix), so why block a feature when I know what I am really doing?

    • Eric_Lawrence's avatar
      Eric_Lawrence
      Icon for Microsoft rankMicrosoft
      Feb 28, 2021
      goodwill1120: As noted immediately above, not everyone recognized that a workaround is available, and some are delighted to have one.

      The problem isn't the scenario where you have decided not to fix the security threat; the problem is the scenario where the user is actively under attack and does not recognize the implications of, say, clicking through a certificate error "just to see". You can follow the conversation in https://crbug.com/431618.
      • adipose's avatar
        adipose
        Brass Contributor
        May 06, 2023
        And how does refusing to save the password mitigate the risk of that scenario?
  • wr-pdx's avatar
    wr-pdx
    Copper Contributor
    Feb 25, 2021

    Eric_Lawrence   thx Eric! I confirmed this works now, per your advice! I had a typo in the name of the cert and reissued it as a self-signed cert (non-CA cert). Next I imported into the local user | Trusted Root Certification Authorities under windows 10. And it works as expected, prompting to save passwords! Many thx, this will save me quite a bit of frustration. I dont think the guys over here know this:

     

    431618 - Google Chrome does not offer to save password for https with unverified ID - chromium

     

    I may make a post over there. but thx again. This is great! 

Resources