David E. Ross wrote:
I visit some Web sites with self-signed certificates. None of those sites request any input from me. The only reason they have site certificates is that the site owners want to show off how technically astute they are. Hah! However, those sites do indeed contain information that I want. I definitely do not want to be locked out of them.
For a scary example of exactly this, read the following thread: http://lists.gnucash.org/pipermail/gnucash-user/2008-October/027009.html (Of course, you have to accept the self signed certificate to do so).The page http://wiki.gnucash.org/wiki/Mailing_Lists is covered in little padlocks giving the user the impression that some level of security exists, when in reality there is none.
If admins are telling users that self signed certs are ok, what hope does a user have if they are not clued up on security?
I have also visited sites with incorrectly configured site certificates. In at least one situation, the owner decided to change the domain name without getting a new certificate for the new domain. In several cases, intermediate certificates were not installed, contrary to explicit instructions from the certificate authorities. I definitely do not want to be locked out of these sites either.
This is the classic balance between convenience and security.If the next door neighbour's kid can jimmy the computer so that you can see the sites you want to see, even though the security is broken, then the site has no incentive to fix their security issue.
In one case a while back, a business banking portal I use ran with an expired certificate for some months. Customers who called their helpdesk were cheerfully told how to systematically switch off all the security in IE6, which allowed their site to work. I was the only customer to complain.
Regards, Graham --
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
