[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: ssl auth failure gui: does "continue" do what I think it does?
From:       Jeff Mitchell <mitchell () kde ! org>
Date:       2009-06-05 11:55:26
Message-ID: 4A2907AE.7000608 () kde ! org
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


Nicholas Tung wrote:
> On Thu, Jun 4, 2009 at 23:56, Thiago Macieira <thiago@kde.org
> <mailto:thiago@kde.org>> wrote:
> 
>     Nicholas Tung wrote:
>     >Hi all,
>     >
>     >    If the "continue" button on the attached GUI screenshot does what I
>     >think it does (submits information after a certificate failure), please
>     >remove the option, or make it *very* clear that this is not a good
>     > choice. Firefox, by contast, has only a failure message and an "okay"
>     > button. [The gui came up for me because I connect via a wifi network
>     > that requires authentication, and it presents a redirect page for http
>     > and https].
> 
>     Firefox makes it very annoying to accept an invalid certificate. You
>     have
>     to add an exception to the SSL rules and you need to fetch the
>     certificate
>     first. That's after the failure message.
> 
> 
> I would assume it's purposefully annoying, and I like it that way. One
> click to give away information is not good, and I think invalid
> certificates should be discouraged.

Unfortunately, "invalid" is not up to the user to decide, it's whatever
the web browser maker decides is "invalid".  Self-signed certificates
serve perfectly well for encryption, which is entirely suitable for many
web sites where authentication of the site isn't important, only the
encryption itself.  Not everyone wants to or can spend $$$ to encrypt
personal web sites, or wants to be beholden to outside authorities.  But
these are treated as "invalid" with a big scary warning to users.

For those that *are* savvy, Firefox went from one click to get past a
self-signed cert to four.  You may like that annoyance, but there are a
large number of people (like myself) that don't, or would like the
option to change that.

--Jeff


["signature.asc" (application/pgp-signature)]

>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<


[prev in list] [next in list] [prev in thread] [next in thread]