| |||||||||||||
Firefox 3 SSL certificate warningsFirefox 3 SSL certificate warningsPosted Aug 28, 2008 11:29 UTC (Thu) by epa (subscriber, #39769)In reply to: Firefox 3 SSL certificate warnings by BenHutchings Parent article: Firefox 3 SSL certificate warnings
I think you have a point. Clearly if the site used to have a certain certificate and the cert has changed since your previous visit, then the new cert had better be signed by a recognized authority.
But equally, suppose I type in http://bank.example.com. Shouldn't I get a big fat warning that there is no way of preventing MITM attacks?
(Log in to post comments)
Firefox 3 SSL certificate warnings Posted Aug 28, 2008 13:18 UTC (Thu) by Tjebbe (subscriber, #34055) [Link]
why? who says that there is any important information being handled there?
Firefox 3 SSL certificate warnings Posted Aug 28, 2008 16:19 UTC (Thu) by epa (subscriber, #39769) [Link] why? who says that there is any important information being handled there?And who says there is any important information on an https site just because it uses https? Why shouldn't LWN or Slashdot or some random blog use https for getting my username and password when I post comments? Or indeed just for normal web browsing?
Firefox 3 SSL certificate warnings Posted Aug 28, 2008 14:14 UTC (Thu) by Tar (subscriber, #2456) [Link]
But most SSH servers present a self signed certificate too.
If at one time you choose to trust this server cert you wont be bothered about it again unless the certificate changes/expires or whatnot.
Why can't the selfsigned certs with HTTPS behave the same way?
Firefox 3 SSL certificate warnings Posted Aug 28, 2008 15:15 UTC (Thu) by johnkarp (subscriber, #39285) [Link]
One big difference I can think of: A user of a secure shell is more likely to understand the security implications of their decisions than a random human with a web browser.
Firefox 3 SSL certificate warnings Posted Aug 28, 2008 15:48 UTC (Thu) by IkeTo (subscriber, #2122) [Link]
A bigger reason might be that a successful MITM attack is much more likely to empty the bank account of the victim if the connection being attacked is a web browser connection than if it is a secure shell connection.
|
|||||||||||||