Re: About SSL "Trick or Treat" Dialogs

From: Stef Walter <stef-list memberwebs com>
To: Owen Taylor <otaylor redhat com>
Cc: Murray Cumming <murrayc murrayc com>, Pat Suwalski <pat suwalski net>, "desktop-devel-list gnome org" <desktop-devel-list gnome org>, stef memberwebs com
Subject: Re: About SSL "Trick or Treat" Dialogs
Date: Wed, 5 Dec 2007 00:34:46 +0000 (UTC)

Owen Taylor wrote:
> If you are connecting on an insecure network (say coffee shop wireless)
> then a https connection to an untrusted certificate is a distinctly weak
> form of security. 
> 
> It tells you that you have a encrypted connection to *somebody*.
> 
> - Owen
> 
> (And note that Stef's proposal doesn't just greenlight a connection to
> https://bugs.freedesktop.org, it greenlights a https connection to a
> DNS-spoofed https://mybank.com.)

Neither bugs.freedesktop.org or a DNS spoofed https site would be
'greenlighted' under my proposal. Just the opposite. It would be treated
just like the untrusted connection that it is.

A TCP connection is basically untrusted. And an SSL connection to
someone we can't verify is the same from a trust perspective.

Of course, if someone (like Pat with his mail server) has noted a
specific certificate to be trust worthy, then it will be treated as
trusted whether or not we have a root CA for it.

But presenting the user with the choice every time is wrong in my opinion.

Stef

Follow-Ups:
- Re: About SSL "Trick or Treat" Dialogs
  - From: Owen Taylor

References:
- About SSL "Trick or Treat" Dialogs
  - From: Stef Walter
- Re: About SSL "Trick or Treat" Dialogs
  - From: Pat Suwalski
- Re: About SSL "Trick or Treat" Dialogs
  - From: Owen Taylor

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]