firefox and bad ssl certificates

Scott Kitterman ubuntu at
Wed May 14 00:38:27 UTC 2008

On Tue, 13 May 2008 19:32:23 -0400 (EDT) ffm at wrote:
>> No, they won't, and shouldn't.  Why pay some idiot corporation an
>> extortion fee just because they bribed the browser manufacturers to
>> include their certs by default?  There is NO added security to having a
>> paid for cert.
>In 8.04, CACert is included as a provider. CACert is free. The price bit
>is moot.
Yes, but a cert from a valid CA or one you've previously accepted only helps against MITM 
attacks.  It helps not a bit against the rather more common problem of social engineering 
attacks using cousin domains (e.g. and  Cert recognition/validation 
doesn't tell you anything about how good or bad the distant end is.

The rather larger problem is that the little lock is generally presumed by 
users to mean much more than it does.  Emphasizing cert validity only 
compounds the problem.  As an example, after today I'd be rather more 
concerned if I didn't get an unknown cert warning from a Debian site than 
if I did.

Scott K

More information about the Ubuntu-devel-discuss mailing list