1 |
On Mon, Mar 7, 2011 at 4:32 PM, Fabian Groffen <grobian@g.o> wrote: |
2 |
> As outsider, I don't like to accept another certificate thing, just to |
3 |
> view a bugtracker. |
4 |
|
5 |
When you think about it, this is a defect with your browser, and not |
6 |
so much with SSL itself. |
7 |
|
8 |
Your browser generally doesn't complain about unauthenticated |
9 |
connections. It accepts unauthenticated connections that aren't |
10 |
encrypted without any issues, despite these being completely open to |
11 |
numerous attacks. However, your browser does complain when it makes |
12 |
an unauthenticated connection that IS encrypted, even though this is |
13 |
vulnerable to far fewer attacks. |
14 |
|
15 |
Browsers shouldn't bug the user about self-signed certificates - they |
16 |
should simply and clearly show that the user is connected to a host |
17 |
that isn't authenticated by a trusted intermediate. |
18 |
|
19 |
Oh, and browsers shouldn't come with root certs pre-installed by the |
20 |
browser distributor either, but that is about as likely to get fixed |
21 |
as the problem I just described. |
22 |
|
23 |
In any case, I don't see poor browser design as a valid reason for |
24 |
avoiding the use of SSL... |
25 |
|
26 |
Rich |