[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: ssl auth failure gui: does "continue" do what I think it does?
From: Anthony J Moulen <ajmoulen () moulen ! org>
Date: 2009-06-11 0:42:12
Message-ID: 200906102042.13084.ajmoulen () moulen ! org
[Download RAW message or body]
On Tuesday 09 June 2009 12:47:04 pm Matthew Woehlke wrote:
>
> "Unless you have some other way to verify the authenticity of this
> certificate, accepting an unsigned certificate should be considered
> equivalent to using an insecure connection." (And maybe
something about
> "unauthenticated HTTPS == HTTP".)
You are aware that most browsers do not actually authenticate a
certificate. They only ensure that the certificate was signed by a
signer that it trusts. In a true security sense you should also be
querying the revocation list from the authority to ensure that the
certificate hasn't been compromised and reported.
The other issue is that the browser doesn't ensure that what you
typed was correct. If I got a certificate for bankfoamerica.com and
managed to register the DNS for that, I could own a legitimate
certificate for that domain and then make it act as a proxy to the real
bankofamerica website. My certificate would be legit from a real
signer (if I could find one that wasn't paying attention) and because
your browser trusted that cert all would be happy.
As has been mentioned all you are getting is a confirmation that
someone spent the $400 for a commercial certificate and the
authority was willing to sell it to you. Unless it was an EV cert which is
several thousand dollars each.
If you work inside a large corporate environment you will probably find
a lot of self signed certificates. If they have done the right thing they
will have established an internal signer to sign all the certificates, but
many won't do this, or with hundreds of test environments it isn't cost
effective to really manage anything but self signed with long
expiration dates. The issue with self-signed is that initial accept, after
that they are no different than CA signed, and in some cases are
really more secure while offering no greater encryption.
I will say that I agree that the current dialog is too vague though.
= Anthony Moulen
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic