[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: ssl auth failure gui: does "continue" do what I think it does?
From: Jeff Mitchell <mitchell () kde ! org>
Date: 2009-06-05 22:36:50
Message-ID: 4A299E02.8090901 () kde ! org
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Nicholas Tung wrote:
> Exactly, you get encryption without authentication, which is useless fo=
r
> security unless you've accepted it before via a secure connection to th=
e
> machine. In which case, see comment below...
No, it's useless for authentication. It's entirely useful for
encryption, if that is all that you require for your security needs.
> How
> many /new/ unconfirmed sites do you come across for the four clicks to
> be an annoyance?
Plenty. Enough for me to find it annoying, obviously. It doesn't help
that the clicks are hyperlinks so you can't alt+key them like you used
to be.
> And, if you consider "ssh" to be a "savvy user thing", then what do you=
> say about the "IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"
> when the same situation occurs (i.e. the public key changes)?
I don't follow. SSH works the same exact way. When you connect
somewhere you don't know, it asks you to confirm this, then it stores
that confirmation. This is like the Firefox behavior (except the
Firefox behavior requires four confirmations). If a key changes, it
gives you a warning...just like Firefox if the cert changes from one
"invalid" cert to another.
> and something like
> "confirm security exception", or "accept permanently", "accept
> temporarily", or "reject" (as with SSH) would be /much/ more
> appropriate.
Totally agreed.
--Jeff
["signature.asc" (application/pgp-signature)]
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic