firefox and bad ssl certificates

Phillip Susi psusi at cfl.rr.com
Tue May 13 20:24:40 UTC 2008 

Milan Bouchet-Valat wrote:
> Notifications are never read, especially by users that are not
> passionate by computers - they're exactly like there was no message at
> all, only they annoy users: "click OK and then see if there's a problem"
> is what OS have used people to for many years. And after that the lock
> in the adress bar still seems to confirm you're on a secure website.

I think you are dead wrong.  It is absolutely wrong to say they are 
NEVER read as people DO see them, and CAN read, ergo some do.  I would 
go so far as to say that that vast majority of people read them, the 
problem is when they fail to understand.  And once you accept the 
invalid certificate, you ARE on a secure web site.  The only thing you 
have to worry about is that someone has intercepted your connection and 
is spoofing the site with their own self-signed certificate.  If a user 
frequents a site and does not get this warning, then one day they do, 
they might think something is up.  If not, well, they have been warned.

> IMHO it's not mainly about educating the user, but to force servers to
> use correct certificates. When freedesktop.org will understand every
> person that goes to their bugtracker gets to the new Firefox warning, I
> guess they will change their certificate. ;-) (just an example)

No, they won't, and shouldn't.  Why pay some idiot corporation an 
extortion fee just because they bribed the browser manufacturers to 
include their certs by default?  There is NO added security to having a 
paid for cert.  See the several incidents where bank web sites have been 
spoofed on a slightly misspelled version of the domain name and issued a 
"valid" cert from a CA "proving" they are the bank you thought you were 
visiting.

> To continue your metaphor, it's primarily intended to force GPS vendors
> to provide hands-free models so that then you can drive without this
> kind of concern.

Pissing off the users by making their life harder is not a good way to 
get your ( wrong headed ) point across to the web site operators.

More information about the Ubuntu-devel-discuss mailing list