On 070825 at 21:05, Jeremy Morton wrote: > So just to confirm, you're saying that there is no difference in > security between submitting a username/password via HTTP and via HTTPS > with a self-signed SSL cert?
That's untrue of course, because an active attack is more difficult than a passive one. But passive attacks is not what people try to defend themselves against, today. Some comments to the bugreport you posted: Encryption without authentication is almost always not what people want. If data is important enough to have it encrypted, it sure is important enough to have it authenticated, i.e. make sure that the encrypted party is from the source you expect and unmodified. That being said, I think that server authentication via certificates is pretty much useless to Joe User. Especially if everyone can get one. Because no Joe User will ever verify the identity in the certificate. -- [EMAIL PROTECTED] gpg --recv-key A04D7875 Key fingerprint: B805 57BE E4AF 0104 CC51 77A1 CE6F 8D46 A04D 7875 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
