1 |
On Thu, Feb 23, 2012 at 3:28 PM, Paul Hartman |
2 |
<paul.hartman+gentoo@×××××.com> wrote: |
3 |
> On Thu, Feb 23, 2012 at 4:59 PM, Mark Knecht <markknecht@×××××.com> wrote: |
4 |
>> What is it about my systems wherein every one of these https links |
5 |
>> case my systems to barf with a "This Connection is Untrusted" message. |
6 |
>> If I remove the 's' then things work fine. |
7 |
> |
8 |
> https encompasses two basic functions: encryption and trust. |
9 |
> |
10 |
> In this case the hostname in the SSL certificate installed on that |
11 |
> server does not match the hostname in the URL, so it does not trust |
12 |
> it. If they matched, it would then check to see if it was expired. If |
13 |
> it was not expired, it would then check to see if it was signed by a |
14 |
> CA that you trust (browsers come with a set of trusted CAs already). |
15 |
> If it was self-signed or signed by an untrusted CA (like DigiNotar...) |
16 |
> you'd get a warning as well. |
17 |
> |
18 |
> If literally every https link is untrusted, maybe you have an issue |
19 |
> with the installation of certificates on your system, or have chosen |
20 |
> not to trust any CAs. |
21 |
> |
22 |
> Commercial websites, banks, stores, etc. should always have valid and |
23 |
> trusted certificates. In OSS world, most people don't have the need or |
24 |
> money to pay for a certificate when all they're really interested in |
25 |
> is encrypting the connection. There are also servers that are |
26 |
> listening for https connections but aren't advertised as such... the |
27 |
> mozilla website is probably one of those. Using plug-ins like |
28 |
> HTTPS-everywhere will try to use https even on sites that don't use it |
29 |
> by default. |
30 |
> |
31 |
> In all of those cases above, if you allowed the connection it would |
32 |
> still be SSL encrypted. You'd be protected against packet sniffers but |
33 |
> not against man-in-the-middle attack. By switching to http your |
34 |
> session occurs in plain-text and is vulnerable to both attacks. |
35 |
> |
36 |
|
37 |
OK, clearly I'm overstating the problem then. I haven't ever had any |
38 |
problems logging into password protected, little closed lock in the |
39 |
bottom corner web sites so that's not a problem. The real problem I've |
40 |
noticed the most is just with these links that arrive as https:// type |
41 |
links and Firefox asking me to specifically accept these certificates |
42 |
which I don't really want to do. |
43 |
|
44 |
And I've not had any problems I've noticed by just removing the 's' |
45 |
and using the site like a regular site. |
46 |
|
47 |
So, I guess there really isn't any problem with my system. |
48 |
|
49 |
I appreciate the info folks. As always, thanks! |
50 |
|
51 |
Cheers, |
52 |
Mark |