firefox and bad ssl certificates
Phillip Susi
psusi at cfl.rr.com
Tue May 13 20:24:40 UTC 2008
Milan Bouchet-Valat wrote:
> Notifications are never read, especially by users that are not
> passionate by computers - they're exactly like there was no message at
> all, only they annoy users: "click OK and then see if there's a problem"
> is what OS have used people to for many years. And after that the lock
> in the adress bar still seems to confirm you're on a secure website.
I think you are dead wrong. It is absolutely wrong to say they are
NEVER read as people DO see them, and CAN read, ergo some do. I would
go so far as to say that that vast majority of people read them, the
problem is when they fail to understand. And once you accept the
invalid certificate, you ARE on a secure web site. The only thing you
have to worry about is that someone has intercepted your connection and
is spoofing the site with their own self-signed certificate. If a user
frequents a site and does not get this warning, then one day they do,
they might think something is up. If not, well, they have been warned.
> IMHO it's not mainly about educating the user, but to force servers to
> use correct certificates. When freedesktop.org will understand every
> person that goes to their bugtracker gets to the new Firefox warning, I
> guess they will change their certificate. ;-) (just an example)
No, they won't, and shouldn't. Why pay some idiot corporation an
extortion fee just because they bribed the browser manufacturers to
include their certs by default? There is NO added security to having a
paid for cert. See the several incidents where bank web sites have been
spoofed on a slightly misspelled version of the domain name and issued a
"valid" cert from a CA "proving" they are the bank you thought you were
visiting.
> To continue your metaphor, it's primarily intended to force GPS vendors
> to provide hands-free models so that then you can drive without this
> kind of concern.
Pissing off the users by making their life harder is not a good way to
get your ( wrong headed ) point across to the web site operators.
More information about the Ubuntu-devel-discuss
mailing list