LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Firefox 3 SSL certificate warnings

Firefox 3 SSL certificate warnings

Posted Aug 29, 2008 16:11 UTC (Fri) by giraffedata (subscriber, #1954)
In reply to: Firefox 3 SSL certificate warnings by docwhat
Parent article: Firefox 3 SSL certificate warnings

From the user point of view, isn't a self-signed certificate equal to unencrypted?

Self-signed is better than unencrypted because with unencrypted, an eavesdropper can get your password. With self-signed, he can't.

But with respect to impostors and men in the middle, they're equivalent.

Simply not displaying any claim of security, as you suggest, for the self-signed certificate is probably better than the dire warning. But it would also be nice to see some icon that tells me that, while I might be talking to an impostor, at least no one can eavesdrop on me. Since it's significantly harder for someone to intercept my traffic than just look at it, there are things I would risk in that case that I wouldn't risk on a totally unencrypted connection.

However, I don't know that there's any practical way to make the average user understand this mid-level security. So by default, it would be better to make no claim at all.

(Log in to post comments)

Firefox 3 SSL certificate warnings

Posted Aug 29, 2008 18:03 UTC (Fri) by docwhat (subscriber, #40373) [Link]

As you say, though, you don't know about impostors or men-in-the-middle. You know at least part of the traffic is encrypted, but you don't what part and if it matters or not.

That's why I would consider them equivalent.

Ciao!

Firefox 3 SSL certificate warnings

Posted Aug 30, 2008 1:57 UTC (Sat) by njs (guest, #40338) [Link]

> But with respect to impostors and men in the middle, they're equivalent.

Sometimes. But usually not... The most valuable thing about a self-signed certificate from my point of view is that you can detect when the cert changes -- so if someone hijacks your connection to a site you've used before, you *know*. This describes the vast majority of sites that I trust with sensitive information -- I have a relationship with them! And even if your first visit to some site gets hijacked, whenever you visit that site again later you will at least discover that it happened (because the real non-hijacked connection will use a different cert than you're expecting).

Firefox 3 SSL certificate warnings

Posted Aug 30, 2008 2:11 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

The most valuable thing about a self-signed certificate from my point of view is that you can detect when the cert changes

Good point.

But as a practical matter, is there any web browser that detects that? I appreciate that the two SSH clients I use do, but I thought web browsers didn't. I assume that the fact that one visits a lot more web sites than shell sites has a lot to do with it.

Firefox 3 SSL certificate warnings

Posted Aug 30, 2008 9:04 UTC (Sat) by njs (guest, #40338) [Link]

> But as a practical matter, is there any web browser that detects that?

No, sigh.

Well, you'll get the "it's self-signed, make an exception or run and hide?" dialogs again when the cert changes, but there's no notification that you *already* made an exception, so you'll probably treat it the same way you treat all the other dialogs like that, i.e. curse and click through.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds