| 1 |
On Mon, Mar 7, 2011 at 4:32 PM, Fabian Groffen <grobian@g.o> wrote: |
| 2 |
> As outsider, I don't like to accept another certificate thing, just to |
| 3 |
> view a bugtracker. |
| 4 |
|
| 5 |
When you think about it, this is a defect with your browser, and not |
| 6 |
so much with SSL itself. |
| 7 |
|
| 8 |
Your browser generally doesn't complain about unauthenticated |
| 9 |
connections. It accepts unauthenticated connections that aren't |
| 10 |
encrypted without any issues, despite these being completely open to |
| 11 |
numerous attacks. However, your browser does complain when it makes |
| 12 |
an unauthenticated connection that IS encrypted, even though this is |
| 13 |
vulnerable to far fewer attacks. |
| 14 |
|
| 15 |
Browsers shouldn't bug the user about self-signed certificates - they |
| 16 |
should simply and clearly show that the user is connected to a host |
| 17 |
that isn't authenticated by a trusted intermediate. |
| 18 |
|
| 19 |
Oh, and browsers shouldn't come with root certs pre-installed by the |
| 20 |
browser distributor either, but that is about as likely to get fixed |
| 21 |
as the problem I just described. |
| 22 |
|
| 23 |
In any case, I don't see poor browser design as a valid reason for |
| 24 |
avoiding the use of SSL... |
| 25 |
|
| 26 |
Rich |
Archives