| 1 |
On Thu, Feb 23, 2012 at 3:28 PM, Paul Hartman |
| 2 |
<paul.hartman+gentoo@×××××.com> wrote: |
| 3 |
> On Thu, Feb 23, 2012 at 4:59 PM, Mark Knecht <markknecht@×××××.com> wrote: |
| 4 |
>> What is it about my systems wherein every one of these https links |
| 5 |
>> case my systems to barf with a "This Connection is Untrusted" message. |
| 6 |
>> If I remove the 's' then things work fine. |
| 7 |
> |
| 8 |
> https encompasses two basic functions: encryption and trust. |
| 9 |
> |
| 10 |
> In this case the hostname in the SSL certificate installed on that |
| 11 |
> server does not match the hostname in the URL, so it does not trust |
| 12 |
> it. If they matched, it would then check to see if it was expired. If |
| 13 |
> it was not expired, it would then check to see if it was signed by a |
| 14 |
> CA that you trust (browsers come with a set of trusted CAs already). |
| 15 |
> If it was self-signed or signed by an untrusted CA (like DigiNotar...) |
| 16 |
> you'd get a warning as well. |
| 17 |
> |
| 18 |
> If literally every https link is untrusted, maybe you have an issue |
| 19 |
> with the installation of certificates on your system, or have chosen |
| 20 |
> not to trust any CAs. |
| 21 |
> |
| 22 |
> Commercial websites, banks, stores, etc. should always have valid and |
| 23 |
> trusted certificates. In OSS world, most people don't have the need or |
| 24 |
> money to pay for a certificate when all they're really interested in |
| 25 |
> is encrypting the connection. There are also servers that are |
| 26 |
> listening for https connections but aren't advertised as such... the |
| 27 |
> mozilla website is probably one of those. Using plug-ins like |
| 28 |
> HTTPS-everywhere will try to use https even on sites that don't use it |
| 29 |
> by default. |
| 30 |
> |
| 31 |
> In all of those cases above, if you allowed the connection it would |
| 32 |
> still be SSL encrypted. You'd be protected against packet sniffers but |
| 33 |
> not against man-in-the-middle attack. By switching to http your |
| 34 |
> session occurs in plain-text and is vulnerable to both attacks. |
| 35 |
> |
| 36 |
|
| 37 |
OK, clearly I'm overstating the problem then. I haven't ever had any |
| 38 |
problems logging into password protected, little closed lock in the |
| 39 |
bottom corner web sites so that's not a problem. The real problem I've |
| 40 |
noticed the most is just with these links that arrive as https:// type |
| 41 |
links and Firefox asking me to specifically accept these certificates |
| 42 |
which I don't really want to do. |
| 43 |
|
| 44 |
And I've not had any problems I've noticed by just removing the 's' |
| 45 |
and using the site like a regular site. |
| 46 |
|
| 47 |
So, I guess there really isn't any problem with my system. |
| 48 |
|
| 49 |
I appreciate the info folks. As always, thanks! |
| 50 |
|
| 51 |
Cheers, |
| 52 |
Mark |
Archives