On 2014-05-28, 9:07 PM, Joshua Cranmer 🐧 wrote:
Two more possible rationales:
1. The administrator is unwilling to pay for an SSL certificate and
unaware of low-cost or free SSL certificate providers.
2. The administrator has philosophical beliefs about CAs, or the CA
trust model in general, and is unwilling to participate in it.
Neglecting the fact that encouraging click-through behavior of users
can only weaken the trust model.
3. The administrator doesn't actually believe SSL certs protect you from
any real harm, and is generating a cert using the least effort possible
to make a user-facing dialog box go away.
It's become clear in the last few months that the overwhelmingly most
frequent users of MITM attacks are state actors with privileged network
positions either obtaining or coercing keys from CAs, using attacks that
the CA model effectively endorses, using tech you can buy off the shelf.
In that light, it's not super-obvious what SSL certs protect you from
apart from some jackass sniffing the coffeeshop wifi.
- mhoye
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
