firefox and bad ssl certificates
gmatht at gmail.com
Thu May 8 12:59:51 UTC 2008
On Thu, May 8, 2008 at 4:17 PM, Martin Pitt <martin.pitt at ubuntu.com> wrote:
> Right, but also self-signed certificates (since they prove nothing).
They prove that you are talking to the same server you are talking to when
you first logged on. They also are sufficient to prevent passive wiretapping
> I don't consider it a new feature, but a better UI. Firefox has always
> complained about invalid certificates, but until version 2 it was just
> the well-known 'SSL yadayada cannot be verified mumblemumble click
> here to shut me up' popup dialog, and really everyone just clicked
> this away, right? Security click-through dialogs should be abolished,
> since they achieve nothing and are really just an excuse for the
> software provider: "I know it is unsafe, and cannot give you something
> better. Of course you can't know either, but at least I can make it
> your problem now."
However http is more unsafe than an https connection on a self-signed cert,
and we don't even have the token warning on http webpages.
AFAICT This "improvement" only helps users who realize that the "s" in https
is meant to mean secure but somehow don't realise that a big clickthrough
popup warning that the cert is invalid means that the site is in some sense
I guess it could vaguely help users who don't know what the "s" means but
have a https: address stored on their machine from some legitimate source,
but have never visited the site so they don't have the correct cert yet.
John C. McCabe-Dansted
University of Western Australia
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Ubuntu-devel-discuss