Re: About SSL "Trick or Treat" Dialogs

From: Pat Suwalski <pat suwalski net>
To: Owen Taylor <otaylor redhat com>
Cc: "desktop-devel-list gnome org" <desktop-devel-list gnome org>, stef memberwebs com, Murray Cumming <murrayc murrayc com>
Subject: Re: About SSL "Trick or Treat" Dialogs
Date: Tue, 4 Dec 2007 13:45:31 -0500

Owen Taylor wrote:

If you are connecting on an insecure network (say coffee shop wireless)
then a https connection to an untrusted certificate is a distinctly weak

form of security.

It tells you that you have a encrypted connection to *somebody*.

That is correct, of course. It is, however, more secure than an openconnection. Case in point, on my mail server, which I know I connectedto properly on my wired network, and which I told Thunderbird toremember, is not signed by a trusted authority and looks different byhost name on an outside network.

When I connect to it from outside, my password is still not travelingthrough the net in plain text.

Whether by broken design or broken economics, there will always be a lotof certificates that cannot be authenticated against a CA.

Yes, the security is weakened, but there still needs to be somethinginforming the user that their data isn't flying through the air in cleartext.


--Pat

Follow-Ups:
- Re: About SSL "Trick or Treat" Dialogs
  - From: Owen Taylor

References:
- About SSL "Trick or Treat" Dialogs
  - From: Stef Walter
- Re: About SSL "Trick or Treat" Dialogs
  - From: Owen Taylor

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]