User: Password:
|
|
Subscribe / Log in / New account

Firefox 3 SSL certificate warnings

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 9:58 UTC (Thu) by BenHutchings (subscriber, #37955)
In reply to: Firefox 3 SSL certificate warnings by epa
Parent article: Firefox 3 SSL certificate warnings

Suppose I bookmark my bank's login page at https://bank.example.com. Shouldn't I get a big fat warning if I use that bookmark and the remote server presents a self-signed certificate?


(Log in to post comments)

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 11:29 UTC (Thu) by epa (subscriber, #39769) [Link]

I think you have a point. Clearly if the site used to have a certain certificate and the cert has changed since your previous visit, then the new cert had better be signed by a recognized authority.

But equally, suppose I type in http://bank.example.com. Shouldn't I get a big fat warning that there is no way of preventing MITM attacks?

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 13:18 UTC (Thu) by Tjebbe (guest, #34055) [Link]

why? who says that there is any important information being handled there?

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 16:19 UTC (Thu) by epa (subscriber, #39769) [Link]

why? who says that there is any important information being handled there?
And who says there is any important information on an https site just because it uses https? Why shouldn't LWN or Slashdot or some random blog use https for getting my username and password when I post comments? Or indeed just for normal web browsing?

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 14:14 UTC (Thu) by Tar (guest, #2456) [Link]

But most SSH servers present a self signed certificate too.

If at one time you choose to trust this server cert you wont be bothered about it again unless the certificate changes/expires or whatnot.

Why can't the selfsigned certs with HTTPS behave the same way?

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 15:15 UTC (Thu) by johnkarp (guest, #39285) [Link]

One big difference I can think of: A user of a secure shell is more likely to understand the security implications of their decisions than a random human with a web browser.

Firefox 3 SSL certificate warnings

Posted Aug 28, 2008 15:48 UTC (Thu) by IkeTo (subscriber, #2122) [Link]

A bigger reason might be that a successful MITM attack is much more likely to empty the bank account of the victim if the connection being attacked is a web browser connection than if it is a secure shell connection.


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds