Jeremy Morton wrote: > Nelson B wrote: >> http is vulnerable to passive attack ("sniffers"). >> https with self-signed certs is not vulnerable to passive attack. >> That is the only essential difference. >> Both are vulnerable to active attack. >> Both are *trivially* attacked by MITM attackers. >> > > Right, I realise all of that. > > I guess my question is whether you have any reliable statistics as to > what kind of number of passive attackers there are out there vs active > attackers. Are there literally virtually no passive attackers? If so, > not distinguishing HTTPS w/ self-signed in the chrome would make sense. > However if there are a significant number, that 'essential difference' > is still important, no? Jeremy, I think one of the problems with self-signed certificates is what I call "warning-popup-click-away-effect". People simply got used to click through the warnings, which in some way deflated the SSL authentication model further (speaking here only about domain validated authentication - identity or organization validation is yet another issue). Would the casual user have the means and knowledge to differ between self-signed and CA issued certificates - like you and me most likely do, the problem wouldn't be such. However this is not the case and therefore the steps taken by Mozilla I guess.
Considering the effect it will have on the millions of casual users - it dwarfs the negative effect it has on web site owners who prefered to use self-signed certificates. But I invite you to read an article I wrote not long ago at https://blog.startcom.org/?p=33 which gives some heads up. Certainly nothing is guaranteed forever, but provides an alternative to self-signed certificates today. Just my two cents... -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto