Am 24.02.2012 04:01, schrieb Adam Carter:
>>> In all of those cases above, if you allowed the connection it would
>>> still be SSL encrypted. You'd be protected against packet sniffers but
>>> not against man-in-the-middle attack.
> 
> And the reason someone will man-in-the-middle you, is so they can
> sniff your traffic and get passwords or other sensitive information.
> This is done by terminating the SSL session from you, and then
> creating a new SSL session to the real server.
> 
>>> By switching to http your
>>> session occurs in plain-text and is vulnerable to both attacks.
>>>
>>
>> OK, clearly I'm overstating the problem then. I haven't ever had any
>> problems logging into password protected, little closed lock in the
>> bottom corner web sites so that's not a problem. The real problem I've
>> noticed the most is just with these links that arrive as https:// type
>> links and Firefox asking me to specifically accept these certificates
>> which I don't really want to do.
> 
> Is the problem that accepting the certificate is inconvenient?
> 
>> And I've not had any problems I've noticed by just removing the 's'
>> and using the site like a regular site.
> 
> That's ok if you understand that you're turning off the security
> features, so it will be possible for an attacker to see your traffic.
> 
>> So, I guess there really isn't any problem with my system.
> 
> Correct - the problem is on the server that you're connecting to is
> presenting an untrusted certificate. That could be because its a
> server that's impersonating the server you really want to connect to,
> or the server's administrator is not doing their job. In rare cases it
> could also be that the certificate has been revoked or the CA is no
> longer trusted by your web browser (eg the Diginotar mentioned
> earlier).
> 

Let's not forget that whenever you are presented with that warning, it
could also be a man-in-the-middle attack. Therefore just clicking on
"Accept" on every site is about the stupidest thing you can do.

I'm unsure how the warning looks when you have previously accepted a
normally untrusted certificate on that site and now it is different
(which could be an indication of MITM). I hope there is a big red flashy
warning but I doubt it.

Regards,
Florian Philipp