Re: About SSL "Trick or Treat" Dialogs



Owen Taylor wrote:
If you are connecting on an insecure network (say coffee shop wireless)
then a https connection to an untrusted certificate is a distinctly weak
form of security.
It tells you that you have a encrypted connection to *somebody*.

That is correct, of course. It is, however, more secure than an open connection. Case in point, on my mail server, which I know I connected to properly on my wired network, and which I told Thunderbird to remember, is not signed by a trusted authority and looks different by host name on an outside network.

When I connect to it from outside, my password is still not traveling through the net in plain text.

Whether by broken design or broken economics, there will always be a lot of certificates that cannot be authenticated against a CA.

Yes, the security is weakened, but there still needs to be something informing the user that their data isn't flying through the air in clear text.

--Pat


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]