Nelson B wrote:
> Jeremy Morton wrote:
>> Re: bugzilla bug #383183 comment #52:
>>
>> So just to confirm, you're saying that there is no difference in
>> security between submitting a username/password via HTTP and via HTTPS
>> with a self-signed SSL cert?
>
> http is vulnerable to passive attack ("sniffers").
> https with self-signed certs is not vulnerable to passive attack.
> That is the only essential difference.
> Both are vulnerable to active attack.
> Both are *trivially* attacked by MITM attackers.
Right, I realise all of that.
I guess my question is whether you have any reliable statistics as to
what kind of number of passive attackers there are out there vs active
attackers. Are there literally virtually no passive attackers? If so,
not distinguishing HTTPS w/ self-signed in the chrome would make sense.
However if there are a significant number, that 'essential difference'
is still important, no?
Best regards,
Jeremy Morton (Jez)
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
