On 08/10/2009 22:30, Daniel Veditz wrote:
On 10/7/09 4:00 PM, Guenter wrote:
Hi,
is there any way to overwrite the default behaviour that a remote SSL
host is verified against the CA list in the certdb?
At what level? Assuming you're asking in this newsgroup because you're
writing code to use NSS directly (or through PSM) you could look at what
PSM does to create "override" exceptions and just do that automatically.
If you're asking about how to do it from Firefox you could try the "MITM
Me" addon (Description: "This add-on is a terrible idea, and you
shouldn't install it.") https://addons.mozilla.org/en-US/firefox/addon/6843
Hilarious! I wonder if Jonath has measured the flood of MITMs he's
experienced using this plugin as against other SSL MITMs?
Needless to say what you're proposing can't be called "SSL" anymore and
there are sound security reasons SSL does not work that way. Using such
a client to connect to commercial, financial, or government sites would
be profoundly dangerous.
I am often reminded on the policy group that SSL *does not require CAs*,
so according to the people who frequently correct me, what you write is
incorrect :)
Understandable error, around a highly controversial term. SSL is
sometimes just a protocol, and CAs are sometimes just application or
policy decisions. Alternatively, SSL is sometimes a whole system of
secure browsing, from consumer to seller, mind to mind, wallet to wallet ...
Personally, I prefer to use the term Secure Browsing to indicate the
system of authentication in browser/servers. And TLS when talking about
the protocol.
But, also personally, I think it is a lost cause. The whole system is
called SSL by the vast body of the media, and anyone who wants to push
pedantic terms is either very alone or selling snake oil.
http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=220301548
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
