[ProgSoc] this is a test, please ignore

Noah O'Donoghue noah.odonoghue at students.mq.edu.au
Fri Nov 7 09:17:35 EST 2008


I've read this article, and the author completely missed why firefox 3
changed this interface, and fails to contrast this with the old version. 

Prior to 3.0, if a user visited a self signed site, he would be presented
with a "problem with your certificate" error message that allowed a user to
bypass once to visit the site. This warning did not make it immediately
clear if the certificate had expired, was self signed, or was otherwise
invalid, just that it wasn't perfect. 

On subsequent visits to the site, the user would see the same error message
and do the same bypass. This means that you could offer a different
self-signed certificate every time and the user would have no way of
differentiating them, ending up offering the same level of security as no
encryption, with the proviso that if an entity such as an ISP were to do
large scale snooping, they would probably be found out.. So it's not quite
plain text, but it's nearly there. 

In Firefox 3, the user is explained why the certificate is invalid (self
signed) and that if they wish to continue, they can add the certificate
bypass permanently, at which the user is warned that they should trust their
current connection before proceeding (eg, don't do this on uni / café
wireless) because it is going to be added as trusted. 

On subsequent visits, the user is not warned about the certificate, unless
it changes, at which point the whole process repeats,  (maybe) alerting the
user that something is up. 

The author rants about this lowering self signed certificate equality, on
the basis that because the user has to do extra clicks (with each step
explaining what is happening) they will be scared off accessing the site. 

Personally I prefer an interface that, 

1. Lets me see at a glance what is wrong with the certificate
2. Won't bug me next time I visit if I want to add an exception
3. Potentially secures my connection by alerting me if the certificate
changes. 

Of course, if everything went on with IE's "There is a problem with this
webpage's certificate" or FF2's certificate errors, no one will complain
because they are so used to clicking through.. every single time.. without
understanding why, checking certificate against past certificates or
validity.


-----Original Message-----
From: progsoc-bounces at progsoc.org [mailto:progsoc-bounces at progsoc.org] On
Behalf Of John Elliot
Sent: Monday, November 03, 2008 6:00 PM
To: ProgSoc
Subject: Re: [ProgSoc] this is a test, please ignore

John Elliot wrote:
> I predict this thread will run for three months.

What I particularly like about that prediction is my ability to make it 
true. :)

I was reading this article "Mozilla SSL policy bad for the Web" [1] this 
evening. I agree with the author's point.

One thing that would lend particular credence to his point, and 
something he didn't mention, is that it is becoming common for network 
equipment to hi-jack outbound SSL connections and proxy them. When this 
happens the user has no indication that their conversation is not 
encrypted all the way to the site they are viewing, but rather only 
encrypted to their corporate transparent proxy, which is then able to 
review all of their "encrypted" data. The user doesn't know what's going 
on. Corporations just roll-out a "trusted" cert as part of their SOA, so 
the user doesn't get the scary message alerting them to wire-tapping.

The browser should silently support encryption, indicate in the status 
bar the name claimed on the cert, and also indicate which CA backs the 
claim.

[1] http://www.cs.uml.edu/~ntuck/mozilla/








_______________________________________________
Progsoc mailing list
Progsoc at progsoc.org
http://progsoc.org/cgi-bin/mailman/listinfo/progsoc




More information about the Progsoc mailing list