>> intent of a self signed and unknown certificate (i.e. is it >> legitimate, or a man in the middle) without any external help >> represents a failing is to show a pretty fundamental lack of >> understanding as to how this all works. >> > Once again, I make no such claim. I said that if there is in fact no > impersonation, then the error is a false positive. Of course the > browser cannot determine that. > No, because even if there is no impersonation going on now, every misconfigured server weakens the ability to detect real impersonations, and there fore are in and of themselves security issues that need to be fixed.
This is a case where someone who does not really need ssl is hurting the entire infrastructure. The need to either fix it or turn ssl off. bob
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
