From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1S0prb-0006qr-3M for garchives@archives.gentoo.org; Fri, 24 Feb 2012 07:46:47 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 601CEE0B2D; Fri, 24 Feb 2012 07:46:38 +0000 (UTC) Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) by pigeon.gentoo.org (Postfix) with ESMTP id 08443E0923 for ; Fri, 24 Feb 2012 07:45:43 +0000 (UTC) Received: from compute6.internal (compute6.nyi.mail.srv.osa [10.202.2.46]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id B6E4420AA1 for ; Fri, 24 Feb 2012 02:45:43 -0500 (EST) Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161]) by compute6.internal (MEProxy); Fri, 24 Feb 2012 02:45:43 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=binarywings.net; h=message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type; s=mesmtp; bh=DoQpV4e6M+U9V7952fAIYKsw uiQ=; b=kY4Q7fZMUos2TRbGP5phCG4dLZBDOkUef9ms7UBk31wSknWuK+wRcYqd SGfZQrlYu81sB9z6D6kTsL567VQK8Nj0o2iB+5lqaMVLJ6seoCjo/T94JjX9SSwL 9ulCavLjTCyqcykvbUODq17vNXNKg+MBEmCkJQCzOlA5WXDB0O0= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type; s=smtpout; bh=DoQp V4e6M+U9V7952fAIYKswuiQ=; b=HeLfjqpurr0jMBR1pLgqtleU84Szer2lSCmU g1b1BWvItt6BYWSZ6BRC1QZDPFHTWxq9VcsYl/C3YUlZhJUOjk2A2G5XWWSPPl1S rndnwpENCUmJXgKxM3EPgS4bfrNlYGmdRAUm0wvs0X2PSXWkhUr3w4lWqtNHotHo h0wAvxI= X-Sasl-enc: M6USrWrr4SUiYqfV7EthuA0jRHbPv6vumH078Ac16e7E 1330069542 Received: from [192.168.5.18] (serv.binarywings.net [83.169.5.6]) by mail.messagingengine.com (Postfix) with ESMTPSA id 6C60E4825CC for ; Fri, 24 Feb 2012 02:45:42 -0500 (EST) Message-ID: <4F47401F.5090600@binarywings.net> Date: Fri, 24 Feb 2012 08:45:35 +0100 From: Florian Philipp User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20120219 Thunderbird/10.0.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] This Connection is Untrusted: WAS: Firefox-10.0.1 fails to compile on x86 References: In-Reply-To: X-Enigmail-Version: 1.3.5 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig2C7B872F38FA3FF0310A42B5" X-Archives-Salt: 3cd754ef-4286-43fe-a89f-0b03379addf1 X-Archives-Hash: 012db456c028a42a438a07f8d52bfd5e This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig2C7B872F38FA3FF0310A42B5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Am 24.02.2012 04:01, schrieb Adam Carter: >>> In all of those cases above, if you allowed the connection it would >>> still be SSL encrypted. You'd be protected against packet sniffers bu= t >>> not against man-in-the-middle attack. >=20 > And the reason someone will man-in-the-middle you, is so they can > sniff your traffic and get passwords or other sensitive information. > This is done by terminating the SSL session from you, and then > creating a new SSL session to the real server. >=20 >>> By switching to http your >>> session occurs in plain-text and is vulnerable to both attacks. >>> >> >> OK, clearly I'm overstating the problem then. I haven't ever had any >> problems logging into password protected, little closed lock in the >> bottom corner web sites so that's not a problem. The real problem I've= >> noticed the most is just with these links that arrive as https:// type= >> links and Firefox asking me to specifically accept these certificates >> which I don't really want to do. >=20 > Is the problem that accepting the certificate is inconvenient? >=20 >> And I've not had any problems I've noticed by just removing the 's' >> and using the site like a regular site. >=20 > That's ok if you understand that you're turning off the security > features, so it will be possible for an attacker to see your traffic. >=20 >> So, I guess there really isn't any problem with my system. >=20 > Correct - the problem is on the server that you're connecting to is > presenting an untrusted certificate. That could be because its a > server that's impersonating the server you really want to connect to, > or the server's administrator is not doing their job. In rare cases it > could also be that the certificate has been revoked or the CA is no > longer trusted by your web browser (eg the Diginotar mentioned > earlier). >=20 Let's not forget that whenever you are presented with that warning, it could also be a man-in-the-middle attack. Therefore just clicking on "Accept" on every site is about the stupidest thing you can do. I'm unsure how the warning looks when you have previously accepted a normally untrusted certificate on that site and now it is different (which could be an indication of MITM). I hope there is a big red flashy warning but I doubt it. Regards, Florian Philipp --------------enig2C7B872F38FA3FF0310A42B5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9HQCMACgkQqs4uOUlOuU97qwCcDHn3Eq4oXzSOWlaReQKh+4H7 Q64An1V6CGZkdMXuhWe7Szc2Cv4Yk8Qe =aJBt -----END PGP SIGNATURE----- --------------enig2C7B872F38FA3FF0310A42B5--