firefox and bad ssl certificates
Scott Kitterman
ubuntu at kitterman.com
Wed May 14 00:38:27 UTC 2008
On Tue, 13 May 2008 19:32:23 -0400 (EDT) ffm at cluenet.org wrote:
>> No, they won't, and shouldn't. Why pay some idiot corporation an
>> extortion fee just because they bribed the browser manufacturers to
>> include their certs by default? There is NO added security to having a
>> paid for cert.
>
>In 8.04, CACert is included as a provider. CACert is free. The price bit
>is moot.
>
Yes, but a cert from a valid CA or one you've previously accepted only helps against MITM
attacks. It helps not a bit against the rather more common problem of social engineering
attacks using cousin domains (e.g. paypal.com and paypa1.com). Cert recognition/validation
doesn't tell you anything about how good or bad the distant end is.
The rather larger problem is that the little lock is generally presumed by
users to mean much more than it does. Emphasizing cert validity only
compounds the problem. As an example, after today I'd be rather more
concerned if I didn't get an unknown cert warning from a Debian site than
if I did.
Scott K
More information about the Ubuntu-devel-discuss
mailing list