On Tue, Apr 01, 2014 at 10:49:15PM +0100, Kevin Chadwick wrote: > > I think at Debian we all agree that it would be a good > > thing if everything would be encrypted, so this is a very bad outcome. > > I beg to differ I'm afraid. SSL should be used where it is required > otherwise you are opening the server upto DOS and as it is more > complex, bugs and exploits not to mention greater memory and cpu usage > in similar fashion to systemd. That's a valid point. I think all connections should be encrypted, unless the server admin knowingly disables the encryption. Does that sound better? What I would like to see, is that if someone new to making websites tries something, they will be using encrypted connections. And if they start asking people to fill out personal data, they don't need to do anything extra to make sure it works right. > > I've also asked Mozilla to give plain HTTP connections at least as much > > warnings as self-signed certificates (which would probably mean no > > warnings for either of them), but I don't think they'll listen. > > What have you asked them exactly. https://bugzilla.mozilla.org/show_bug.cgi?id=566008#c12 > I believe glaring warnings should be removed from self-signed and > green bars removed completely for EV certs but you should be asked to > check the fingerprint for self-signed and the browser should cache the > cert and warn of changes in all cases though that would scare the > uninitiated at first??? I think from a usability perspective, "normal" browsing, including self-signed certificates, should just work without any messages. But I gladly leave the details to the browser developers. There is one thing I would like them to do, and that is scare users more towards encrypted connections than away from them. I don't think any scaring is required, but if they are going to scare people for self-signed certificates, they should scare them even more for unencrypted connections. Thanks, Bas
Attachment:
signature.asc
Description: Digital signature