[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: ssl auth failure gui: does "continue" do what I think it does?
From:       Anthony J Moulen <ajmoulen () moulen ! org>
Date:       2009-06-11 0:42:12
Message-ID: 200906102042.13084.ajmoulen () moulen ! org
[Download RAW message or body]

On Tuesday 09 June 2009 12:47:04 pm Matthew Woehlke wrote:
>
> "Unless you have some other way to verify the authenticity of this
> certificate, accepting an unsigned certificate should be considered
> equivalent to using an insecure connection." (And maybe 
something about
> "unauthenticated HTTPS == HTTP".)
You are aware that most browsers do not actually authenticate a 
certificate.  They only ensure that the certificate was signed by a 
signer that it trusts.  In a true security sense you should also be 
querying the revocation list from the authority to ensure that the 
certificate hasn't been compromised and reported.  

The other issue is that the browser doesn't ensure that what you 
typed was correct.  If I got a certificate for bankfoamerica.com and 
managed to register the DNS for that, I could own a legitimate 
certificate for that domain and then make it act as a proxy to the real 
bankofamerica website.  My certificate would be legit from a real 
signer (if I could find one that wasn't paying attention) and because 
your browser trusted that cert all would be happy.  

As has been mentioned all you are getting is a confirmation that 
someone spent the $400 for a commercial certificate and the 
authority was willing to sell it to you.  Unless it was an EV cert which is 
several thousand dollars each.  

If you work inside a large corporate environment you will probably find 
a lot of self signed certificates.  If they have done the right thing they 
will have established an internal signer to sign all the certificates, but 
many won't do this, or with hundreds of test environments it isn't cost 
effective to really manage anything but self signed with long 
expiration dates.  The issue with self-signed is that initial accept, after 
that they are no different than CA signed, and in some cases are 
really more secure while offering no greater encryption. 

I will say that I agree that the current dialog is too vague though. 

= Anthony Moulen

 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]