Jeremy Morton wrote:
> Nelson B wrote:
>> http is vulnerable to passive attack ("sniffers").
>> https with self-signed certs is not vulnerable to passive attack.
>> That is the only essential difference.
>> Both are vulnerable to active attack.
>> Both are *trivially* attacked by MITM attackers.
>>
>
> Right, I realise all of that.
>
> I guess my question is whether you have any reliable statistics as to
> what kind of number of passive attackers there are out there vs active
> attackers. Are there literally virtually no passive attackers? If so,
> not distinguishing HTTPS w/ self-signed in the chrome would make sense.
> However if there are a significant number, that 'essential difference'
> is still important, no?
Jeremy, I think one of the problems with self-signed certificates is
what I call "warning-popup-click-away-effect". People simply got used to
click through the warnings, which in some way deflated the SSL
authentication model further (speaking here only about domain validated
authentication - identity or organization validation is yet another
issue). Would the casual user have the means and knowledge to differ
between self-signed and CA issued certificates - like you and me most
likely do, the problem wouldn't be such. However this is not the case
and therefore the steps taken by Mozilla I guess.
Considering the effect it will have on the millions of casual users - it
dwarfs the negative effect it has on web site owners who prefered to use
self-signed certificates. But I invite you to read an article I wrote
not long ago at https://blog.startcom.org/?p=33 which gives some heads
up. Certainly nothing is guaranteed forever, but provides an alternative
to self-signed certificates today. Just my two cents...
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
