firefox and bad ssl certificates
John McCabe-Dansted
gmatht at gmail.com
Thu May 8 12:59:51 UTC 2008
On Thu, May 8, 2008 at 4:17 PM, Martin Pitt <martin.pitt at ubuntu.com> wrote:
>
> Right, but also self-signed certificates (since they prove nothing).
They prove that you are talking to the same server you are talking to when
you first logged on. They also are sufficient to prevent passive wiretapping
attacks.
> I don't consider it a new feature, but a better UI. Firefox has always
> complained about invalid certificates, but until version 2 it was just
> the well-known 'SSL yadayada cannot be verified mumblemumble click
> here to shut me up' popup dialog, and really everyone just clicked
> this away, right? Security click-through dialogs should be abolished,
> since they achieve nothing and are really just an excuse for the
> software provider: "I know it is unsafe, and cannot give you something
> better. Of course you can't know either, but at least I can make it
> your problem now."
However http is more unsafe than an https connection on a self-signed cert,
and we don't even have the token warning on http webpages.
AFAICT This "improvement" only helps users who realize that the "s" in https
is meant to mean secure but somehow don't realise that a big clickthrough
popup warning that the cert is invalid means that the site is in some sense
less secure.
I guess it could vaguely help users who don't know what the "s" means but
have a https: address stored on their machine from some legitimate source,
but have never visited the site so they don't have the correct cert yet.
--
John C. McCabe-Dansted
PhD Student
University of Western Australia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20080508/e5df5a06/attachment.html>
More information about the Ubuntu-devel-discuss
mailing list