User: Password:
|
|
Subscribe / Log in / New account

Firefox 3 SSL certificate warnings

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 9:21 UTC (Thu) by epa (subscriber, #39769)
Parent article: Firefox 3 SSL certificate warnings

Surely the key issue is this: why do you present pages of frightening warnings for a self-signed certificate, but no warning at all if your browsing is entirely in the clear? A self-signed certificate is not less safe than unencrypted http. It may not be any more safe; it shouldn't get the padlock icon or glowing green bar; but to treat it as highly dangerous while not even raising an eyebrow for unencrypted browsing will just encourage people to not set up https sites (unless they are willing to pay the protection money) and stick with plain http. Which is surely not improving anyone's security.


(Log in to post comments)

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 9:58 UTC (Thu) by BenHutchings (subscriber, #37955) [Link]

Suppose I bookmark my bank's login page at https://bank.example.com. Shouldn't I get a big fat warning if I use that bookmark and the remote server presents a self-signed certificate?

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 11:29 UTC (Thu) by epa (subscriber, #39769) [Link]

I think you have a point. Clearly if the site used to have a certain certificate and the cert has changed since your previous visit, then the new cert had better be signed by a recognized authority.

But equally, suppose I type in http://bank.example.com. Shouldn't I get a big fat warning that there is no way of preventing MITM attacks?

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 13:18 UTC (Thu) by Tjebbe (subscriber, #34055) [Link]

why? who says that there is any important information being handled there?

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 16:19 UTC (Thu) by epa (subscriber, #39769) [Link]

why? who says that there is any important information being handled there?
And who says there is any important information on an https site just because it uses https? Why shouldn't LWN or Slashdot or some random blog use https for getting my username and password when I post comments? Or indeed just for normal web browsing?

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 14:14 UTC (Thu) by Tar (guest, #2456) [Link]

But most SSH servers present a self signed certificate too.

If at one time you choose to trust this server cert you wont be bothered about it again unless the certificate changes/expires or whatnot.

Why can't the selfsigned certs with HTTPS behave the same way?

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 15:15 UTC (Thu) by johnkarp (guest, #39285) [Link]

One big difference I can think of: A user of a secure shell is more likely to understand the security implications of their decisions than a random human with a web browser.

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 15:48 UTC (Thu) by IkeTo (subscriber, #2122) [Link]

A bigger reason might be that a successful MITM attack is much more likely to empty the bank account of the victim if the connection being attacked is a web browser connection than if it is a secure shell connection.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds