| 1 |
On 02/24/12 02:45, Florian Philipp wrote: |
| 2 |
> |
| 3 |
> Let's not forget that whenever you are presented with that warning, it |
| 4 |
> could also be a man-in-the-middle attack. Therefore just clicking on |
| 5 |
> "Accept" on every site is about the stupidest thing you can do. |
| 6 |
> |
| 7 |
> I'm unsure how the warning looks when you have previously accepted a |
| 8 |
> normally untrusted certificate on that site and now it is different |
| 9 |
> (which could be an indication of MITM). I hope there is a big red flashy |
| 10 |
> warning but I doubt it. |
| 11 |
> |
| 12 |
|
| 13 |
Not if the certificate is "valid." |
| 14 |
|
| 15 |
The only sane way to handle certificates with parties you've never met |
| 16 |
(i.e. every website) is the SSH method: you accept that, no matter what, |
| 17 |
there's always going to be one opportunity for a man-in-the-middle |
| 18 |
attack. The first time you connect, you save the remote server's |
| 19 |
certificate. If it changes, freak out. |
| 20 |
|
| 21 |
The certificate patrol extension does this: |
| 22 |
|
| 23 |
http://patrol.psyced.org/ |
| 24 |
|
| 25 |
With it, self-signed certificates become more secure than CA-signed ones. |
Archives