[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: ssl auth failure gui: does "continue" do what I think it does?
From: Matthew Woehlke <mw_triad () users ! sourceforge ! net>
Date: 2009-06-08 23:05:13
Message-ID: h0k5f9$ndg$1 () ger ! gmane ! org
[Download RAW message or body]
Jeff Mitchell wrote:
> Matthew Woehlke wrote:
>> Jeff Mitchell wrote:
>>> Self-signed certificates serve perfectly well for encryption,
>> Yes, but whose encryption? The point of an authority-issued certificate
>> is that there is some level of assurance that it was obtained by someone
>> honest and for the site it is reportedly for.
>
> But there isn't a choice. Certificates are essentially the only
> encryption method feasible for most sites, because of e.g. browser
> support. So if all you need is encryption, and not authentication, you
> still have to use the same system.
But *you don't get encryption* this way, at least not in the sense of
"secure communication between two parties". You get the illusion of
security with no way to know if you actually /have/ security. That's the
point.
> There are plenty of times when I couldn't care less. There are lots of
> random web sites out there that have encryption turned on where I
> couldn't care less if I'm seeing the "legit" data or not. Mailing list
> archives, random bugzillas, etc. If I'm just a user trying to browse
> around, it doesn't matter to me whether the certificate is "invalid" or
> not -- I'd browse to it even if it had no encryption/certificate at all.
Sure, but that's different. It's one thing to use HTTPS because the
other end does and be aware that you have roughly the same level of
security as using raw HTTP. Again, I don't consider that "encryption";
you have /not/ achieved any real security.
IMO it should be clear that unauthenticated encryption is about as
valuable as none at all. It might actually be useful encryption, but it
might also be a false sense of security; without authentication, you
don't know.
--
Matthew
Please do not quote my e-mail address unobfuscated in message bodies.
--
Current geek index: 62%
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic