LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Scary SSL warnings

Scary SSL warnings

Posted Apr 16, 2012 13:53 UTC (Mon) by nye (guest, #51576)
In reply to: Scary SSL warnings by Jan_Zerebecki
Parent article: Langley: False Start's Failure

>The user fills out a form on the page and sends it, now Request 2 is POSTed to the same URL. This time a self signed certificate is used because a MAn in the Middle attack happened. In your proposed change there is nothing available to let the Browser differentiate between a successful attack that uses a self-signed certificate and the correct certificate. That is because in the current scheme of things there is no client state about the identity of a site.

Realistically, there should be.

Even aside from how you want to treat self-signed certificates, a browser should think something's up if the certificate for a given URL changes between two requests, unless the first certificate was right on the edge of its expiration date. Keeping a record of the certificate received on the last request would be an improvement even if you continue to treat self-signed certificates the same way.

Do any browsers currently do that?

(Log in to post comments)

Scary SSL warnings

Posted Apr 16, 2012 16:21 UTC (Mon) by sorpigal (subscriber, #36106) [Link]

No browsers do this, but you can get Firefox extension(s) which add this sort of thing in. The UI is a bit too unfriendly for the masses, however.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds