Marsh Ray wrote:
What do you propose other than not letting the user bypass
the cert error page at all?
Investing some serious time enhancing those errors.
Or investing some serious time evangelising the SSL site owners into
using a real certificate.
But the statu quo doesn't work.
Another page that says "we really really mean it"?
Many time the user is right that the site he wants to access is not
*actually* an attacker. So Firefox should not "really mean it".
I collected a page of links on my blog. All of them raises SSL warning.
Not one is actually an attacker.
It's mostly a list of people using a private CA for a public server.
But user don't care they're doing something incorrect. They just care if
they're actually an evil doer. And they're not.
One of them is https://svn.boost.org , they certainly get a lot of hits.
There's little solution for this at the browser level.
Still one could for example think about an option to crowdsource the
answer.
Not automatically, but have an button when you meet the problem that ask
to the network if "svn.boost.org + this certificate imprint" is a fake
or not.
As soon as you start thinking "what could we do ?" instead of just
saying "this should not happen", some ideas appear.
Then they are also the other error, like expired certificate, which
often is just a bad manipulation when the cert is *shortly* expired. The
browser could be smarter about that.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
