Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla SSL Policy Considered Bad For the Web

Posted by kdawson on from the among-these-shall-be-life-liberty-and-acces-to-https dept.

Chandon Seldon writes "The issue of digital certificates for SSL and the policies surrounding them comes up repeatedly. I've written an article criticizing the behavior in Firefox 3, which includes a serious comparison of the current Mozilla policy — restricting encrypted HTTP to paying customers — to a violation of net neutrality."

3 of 897 comments (clear)

  1. Re:Seconded. by Goaway · · Score: 5, Interesting

    Obviously you don't need encryption very badly if you don't care about man-in-the-middle attacks.

  2. Re:Damn right you are. by Culture20 · · Score: 4, Interesting

    For those sites, buying a certificate is possible, but the costs are high compared to the gains (as this is *only* about protection of the data, not about "being sure this is site XY).

    If my data needs encrypted, you'd better be sure as a client I want to know it's going to the right place. As the server, you probably don't care (but you should). You don't want to spend $$ to get a cert with a browser pre-installed CA? Fine, but please provide a way to contact your company through the yellow pages or some other non-website contact info that allows people to call a real person and verify the SSL cert. 99.999% of people won't, but sysadmins will.

  3. Re:Seconded. by undercanopy · · Score: 4, Interesting

    No: if you train your users to ignore "[this certificate isn't signed by a know authority]" warnings, then you makes them substantially MORE vulnerable to man-in-the-middle attacks and, indeed, increases their susceptibility to phishing across the board.

    As a web admin you will of course also have to maintain the certificate store, but that may be very easy if you only have a handful of clients. And if you have a handful of clients you may install the root certificate in a controlled situation on the clients, so not even there you have a big problem with insecurity.

    didn't you just defeat your own protest to this 'feature?' If you're going to install the cert/root on your clients, then they won't encounter this message, and there's no problem.

    Where i DO see a problem is making it very very cheap and and easy for people to register believable certs for

    cittibank.com

    citibnak.com

    citybank.com

    citibanc.com

    Cost of entry keeps attacks like these targeted, removing that would open things up immeasurably... or do you think the phishing problem is overblown and just a commercial stunt too?

    --
    -- D-23994, Muff#2613