Re: Scripts that run insecurely-downloaded code
On Sat, 2020-05-02 at 18:01 +0200, estellnb@elstel.org wrote:
>
> Am 02.05.2020 10:14, schrieb Davide Prina:
> > On 01/05/20 22:00, Rebecca N. Palmer wrote:
> > > On 01/05/2020 20:31, Elmar Stellnberger wrote:
> > > > https isn´t any more secure than http as long as you do not have a
> > > > verifiably trustworthy server certificate that you can check for. As
> > > > we know the certification authority system is totally broken.
> > >
> > > Imperfect yes, but still better than nothing.
> >
> > There is another problem: implementation. Not all the software that
> > implement HTTPS verify the validity of the certificate and the
> > validity of all the certification chain.
> >
> > For example where I work has been invalidated a certificate, but for
> > mistake the new valid one was not loaded on a https site.
>
> What do you mean by loaded on a https site? That the web server of the
> site uses the certificate? Wasn´t there a CA for the new site?
>
>
> With Debian
> > and Firefox I cannot access that site (I get "the certificate is not
> > valid" or something similar), but other people, that use another OS,
> > can access it with internet explorer and chrome, but not with Firefox.
> >
I've seen this before with Firefox. Basically Firefox has disabled weaker certificates from
working, where Chrome and IE still accept ones with 128bit encryption, they do show an error (at
least in Chrome) if you dig into the SSL debug screen. Firefox just refuses to view it.
> > Ciao
> > Davide
Reply to: