[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-user
Subject:    Re: [gentoo-user] This Connection is Untrusted: WAS: Firefox-10.0.1 fails to compile on x86
From:       Paul Hartman <paul.hartman+gentoo () gmail ! com>
Date:       2012-02-23 23:28:49
Message-ID: CAEH5T2MaNW77oG1yVALW5ngzZZBNbySaFsfoAu821iczEqmW-w () mail ! gmail ! com
[Download RAW message or body]

On Thu, Feb 23, 2012 at 4:59 PM, Mark Knecht <markknecht@gmail.com> wrote:
> What is it about my systems wherein every one of these https links
> case my systems to barf with a "This Connection is Untrusted" message.
> If I remove the 's' then things work fine.

https encompasses two basic functions: encryption and trust.

In this case the hostname in the SSL certificate installed on that
server does not match the hostname in the URL, so it does not trust
it. If they matched, it would then check to see if it was expired. If
it was not expired, it would then check to see if it was signed by a
CA that you trust (browsers come with a set of trusted CAs already).
If it was self-signed or signed by an untrusted CA (like DigiNotar...)
you'd get a warning as well.

If literally every https link is untrusted, maybe you have an issue
with the installation of certificates on your system, or have chosen
not to trust any CAs.

Commercial websites, banks, stores, etc. should always have valid and
trusted certificates. In OSS world, most people don't have the need or
money to pay for a certificate when all they're really interested in
is encrypting the connection. There are also servers that are
listening for https connections but aren't advertised as such... the
mozilla website is probably one of those. Using plug-ins like
HTTPS-everywhere will try to use https even on sites that don't use it
by default.

In all of those cases above, if you allowed the connection it would
still be SSL encrypted. You'd be protected against packet sniffers but
not against man-in-the-middle attack. By switching to http your
session occurs in plain-text and is vulnerable to both attacks.

[prev in list] [next in list] [prev in thread] [next in thread]