[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Bug 1328] Default browser (Iceweasel) refuses to connect to https://www/ by default

http://bugs.skolelinux.org/show_bug.cgi?id=1328





------- Comment #7 from skilinux@gmail.com  2009-05-04 02:24 -------
(In reply to comment #3)
> What is the point of accessing a self signed certificate anyway? If someone
> want to sniff your passwords, they could just do it by setting up a fake
> wireless network with another self signed certificate. If a cabled ethernet is
> used, it is hard on a network with switches, so then you can just use http (and
> still vulnerable to fake DHCP servers people can place on the network).

The main point is having an encrypted connection so sniffers actually need to
use a fake cert. to get anything.
Then it's up to the user to trust or not unsigned cert.

There's been an extensive discussion of this on the web and after reading some
I tend to accept the stand of the Firefolks on the matter.
Look up http://blog.johnath.com/2007/10/11/todo-break-internet/ for a good
starter.

With the solution I suggested here we'll not take part in conditioning tender
users to click through to the wild side.
When a sniffer's cert. will be encountered the glory of Iceweasel's new
warnings may even alert the user and maybe drive home the notion that it's an
aggressive action, by having to click few more times in different locations non
of which says "O.K." or "Continue".


-- 
Configure bugmail: http://bugs.skolelinux.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Reply to: