firefox and bad ssl certificates
HggdH
hggdh2 at gmail.com
Wed May 14 01:02:16 UTC 2008
> The rather larger problem is that the little lock is generally presumed by
> users to mean much more than it does. Emphasizing cert validity only
> compounds the problem. As an example, after today I'd be rather more
> concerned if I didn't get an unknown cert warning from a Debian site than
> if I did.
Yes indeed. A web certificate, as it is used nowadays, will not do much
more than get you privacy. It does not make the web site more or less
secure (and I have already said that here). A self-signed is as good as
one signed by a so-called trusted CA. What makes a specific public
certificate more "trusted" is out-of-band check and validation (serial
number, CN or DN verification, etc).
A digital (public) certificate is nothing more than a public encryption
key with some identifying data, signed by someone you do not know, but
decided to trust. And, again -- it is not the web public certificate you
trust, its the signer. You do not know anything about who is deploying
this specific certificate, but *you* (or someone with the necessary
power) decided the signer is trusted.
Scott, methinks, is absolutely correct. But I doubt he, or I, or both of
us, or whoever else, will be able to change the Way Things Are (TM).
..hggdh..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20080513/82fe06f1/attachment.sig>
More information about the Ubuntu-devel-discuss
mailing list