On 10/8/09 2:00 PM, Ian G wrote:
On 08/10/2009 22:30, Daniel Veditz wrote:
If you're asking about how to do it from Firefox you could try the "MITM
Me" addon (Description: "This add-on is a terrible idea, and you
shouldn't install it.")
https://addons.mozilla.org/en-US/firefox/addon/6843
Hilarious! I wonder if Jonath has measured the flood of MITMs he's
experienced using this plugin as against other SSL MITMs?
That was written for some admins who complained that they have racks of
equipment with built-in self-signed certs and for whom the extra bypass
clicks in Firefox 3 were onerous. If they put this addon in a profile
used _only_ on a protected internal network of these devices it might be
safe enough. At least until they forget and use that profile to surf
elsewhere.
Needless to say what you're proposing can't be called "SSL" anymore and
there are sound security reasons SSL does not work that way. Using such
a client to connect to commercial, financial, or government sites would
be profoundly dangerous.
I am often reminded on the policy group that SSL *does not require CAs*,
so according to the people who frequently correct me, what you write is
incorrect :)
I don't think my statement required CAs -- if Guenter wants to install
trusted server certs ahead of time that can be done safely (but probably
won't be). It seemed like he was asking about accepting any and every
cert he encountered though. I suppose the machines are still talking the
SSL/TLS protocol if you want to look at just that aspect of it, but it
defeats the whole purpose.
Regardless, I stand fully behind my second sentence. Using a client
configured that way to conduct financial or commercial transactions
would be dangerous.
-Dan
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
