Re: [gentoo-user] This Connection is Untrusted: WAS: Firefox-10.0.1 fails to compile on x86

[Florian Philipp <lists@binarywings.net>]

[-- Attachment #1: Type: text/plain, Size: 2399 bytes --]

Am 24.02.2012 18:33, schrieb Paul Hartman:
> On Fri, Feb 24, 2012 at 10:43 AM, Michael Orlitzky <michael@orlitzky.com> wrote:
>> On 02/24/12 02:45, Florian Philipp wrote:
>>>
>>> Let's not forget that whenever you are presented with that warning, it
>>> could also be a man-in-the-middle attack. Therefore just clicking on
>>> "Accept" on every site is about the stupidest thing you can do.
>>>
>>> I'm unsure how the warning looks when you have previously accepted a
>>> normally untrusted certificate on that site and now it is different
>>> (which could be an indication of MITM). I hope there is a big red flashy
>>> warning but I doubt it.
>>>
>>
>> Not if the certificate is "valid."
>>
>> The only sane way to handle certificates with parties you've never met
>> (i.e. every website) is the SSH method: you accept that, no matter what,
>> there's always going to be one opportunity for a man-in-the-middle
>> attack. The first time you connect, you save the remote server's
>> certificate. If it changes, freak out.
>>
>> The certificate patrol extension does this:
>>
>>  http://patrol.psyced.org/
>>
>> With it, self-signed certificates become more secure than CA-signed ones.
> 
> Thanks for the link. The MultiZilla extension way back in the
> Netscape/Mozilla/Seamonkey 1.x days treated certificates like this:
> you had to approve all certs the first time, even if they were from a
> trusted CA and if it ever changed for any reason, it would refuse to
> connect unless you approved the new cert.
> 
> It seems to me that's how it should *always* work, in all software
> that uses SSL certificates, but I understand wanting to keep it simple
> for non-technical users... but those are the very users most at risk,
> probably the most likely to use hostile wifi networks (in my mind,
> hostile is anything other than the router I control at my house).
> 
> Additionally http://perspectives-project.org/ or
> http://convergence.io/ can help you in establishing the initial trust
> and are an attempt at eliminating the need to trust CAs at all.
> 


Just a small follow-up: A neat server-sided trick I didn't know until
now is HTTP Strict Transport Security [1]. It prevents users from
clicking away SSL warnings and prevents mixed content.

[1] http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Regards,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]