Ian G wrote, On 2009-01-02 01:28 PST: > Lots of very small stores try to do the right thing and set > up self-signed certs with their cousin or friend doing the website.
They get their cousin or friend to set up a web site for them, because they don't know anything about web sites except that they must have one. Their cousin/friend tells them "Your choices are to either pay $1000 per year for a certificate or else let me make you a certificate for free." He does not tell them "you also have choices to get certs that will work in all browsers for less than $50/year", perhaps because he himself does not know that. > Then they discover that nobody can use the site, the admin wants more > money, [...] so they back off and use HTTP instead of HTTPS. Yes, I agree, that does happen. But the answer is not to use self-signed certs. It is to use cost effective CA issued certs. > "Please be aware that this website is not fully protected with third > party claims by Certification Authorities. You may not be talking to > who you think you are talking to, be careful to check in other ways. The problem with that is that the average user has NO IDEA WHATEVER of any way to verify who he is talking to than to look at the CONTENT of the site, and see if it looks like the content he expects from the real site. So, he does that, and thinks that he has "been careful", just as the suggested warning advises him, and he gets phished. There are some (few) users who have become aware of the advice that they must check that the certificate belongs to the intended party, but they still have no concept of a MITM attack, so they look at the subject name in the self-signed cert, and see that it bears the name of the company they expect it to name, and they conclude that they have verified that the cert is correct and proper, and they get phished. Either way, the people who get phished, after thinking that they've taken due care, conclude that there is no effective security on the internet. But they should conclude that there is no effective security on the internet WHEN YOU OVERRIDE the security precautions that were put there to protect them. We do not help them by further watering down the security warnings. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
