From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1S25Ye-0005pg-KA for garchives@archives.gentoo.org; Mon, 27 Feb 2012 18:44:24 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id CF55DE0761; Mon, 27 Feb 2012 18:44:10 +0000 (UTC) Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) by pigeon.gentoo.org (Postfix) with ESMTP id 98C4AE0761 for ; Mon, 27 Feb 2012 18:43:09 +0000 (UTC) Received: from compute4.internal (compute4.nyi.mail.srv.osa [10.202.2.44]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 4B9FA20E55 for ; Mon, 27 Feb 2012 13:43:09 -0500 (EST) Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161]) by compute4.internal (MEProxy); Mon, 27 Feb 2012 13:43:09 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=binarywings.net; h=message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type; s=mesmtp; bh=GWTtrg1xVw8jsMhqGAcNLVJJ g2Q=; b=DcHtn8nC60IxtdG4EyFyH1dFQ54bIMjWi4r5IS/YR4H/HWO4ZvMlhMqw C1LwNJWJMLQFW8vRnoSeHT86r3pxonBEAAz+fHeMZQFS5D1fNlwp4t9MX5APwv/P P3tBKzU6JumzA2rCUl+s28rGMD7Fl+oPug12+Gk2aL0JCJjsoGo= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type; s=smtpout; bh=GWTt rg1xVw8jsMhqGAcNLVJJg2Q=; b=dX7p36qi/JF52ttNg57XZedCnFLJ6JY32MLc o9Nzkb7gdyyDpTGnQMwXhUl1w0ajq74SBe8Nt7pi38ekPWq8HRYfL9obK3eQsLYy ygEB0UdAHC2og4fZphF4az2Xb5sbYsTXHkaYr++JcvT+NelmI9lj3Rfbg7vd5icy ZIgZtvA= X-Sasl-enc: KDuwcqdtouyTVlWgMhFgZAsFM8n/eqgQsvolRAR83b4e 1330368188 Received: from [192.168.5.18] (serv.binarywings.net [83.169.5.6]) by mail.messagingengine.com (Postfix) with ESMTPSA id 915524824CB for ; Mon, 27 Feb 2012 13:43:08 -0500 (EST) Message-ID: <4F4BCEB5.7010006@binarywings.net> Date: Mon, 27 Feb 2012 19:43:01 +0100 From: Florian Philipp User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20120219 Thunderbird/10.0.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] This Connection is Untrusted: WAS: Firefox-10.0.1 fails to compile on x86 References: <4F47401F.5090600@binarywings.net> <4F47BE2A.6050202@orlitzky.com> In-Reply-To: X-Enigmail-Version: 1.3.5 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigBB8C1C0414C1251979368B83" X-Archives-Salt: 3094439b-04b6-4bc8-9bf2-a90d8c2eaea5 X-Archives-Hash: 5d41390c262dcf0e721255b61e7ec76b This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigBB8C1C0414C1251979368B83 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Am 24.02.2012 18:33, schrieb Paul Hartman: > On Fri, Feb 24, 2012 at 10:43 AM, Michael Orlitzky wrote: >> On 02/24/12 02:45, Florian Philipp wrote: >>> >>> Let's not forget that whenever you are presented with that warning, i= t >>> could also be a man-in-the-middle attack. Therefore just clicking on >>> "Accept" on every site is about the stupidest thing you can do. >>> >>> I'm unsure how the warning looks when you have previously accepted a >>> normally untrusted certificate on that site and now it is different >>> (which could be an indication of MITM). I hope there is a big red fla= shy >>> warning but I doubt it. >>> >> >> Not if the certificate is "valid." >> >> The only sane way to handle certificates with parties you've never met= >> (i.e. every website) is the SSH method: you accept that, no matter wha= t, >> there's always going to be one opportunity for a man-in-the-middle >> attack. The first time you connect, you save the remote server's >> certificate. If it changes, freak out. >> >> The certificate patrol extension does this: >> >> http://patrol.psyced.org/ >> >> With it, self-signed certificates become more secure than CA-signed on= es. >=20 > Thanks for the link. The MultiZilla extension way back in the > Netscape/Mozilla/Seamonkey 1.x days treated certificates like this: > you had to approve all certs the first time, even if they were from a > trusted CA and if it ever changed for any reason, it would refuse to > connect unless you approved the new cert. >=20 > It seems to me that's how it should *always* work, in all software > that uses SSL certificates, but I understand wanting to keep it simple > for non-technical users... but those are the very users most at risk, > probably the most likely to use hostile wifi networks (in my mind, > hostile is anything other than the router I control at my house). >=20 > Additionally http://perspectives-project.org/ or > http://convergence.io/ can help you in establishing the initial trust > and are an attempt at eliminating the need to trust CAs at all. >=20 Just a small follow-up: A neat server-sided trick I didn't know until now is HTTP Strict Transport Security [1]. It prevents users from clicking away SSL warnings and prevents mixed content. [1] http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security Regards, Florian Philipp --------------enigBB8C1C0414C1251979368B83 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9LzroACgkQqs4uOUlOuU9bIACfdyitIYoMX89k2dYtHu+Rhk8M wNUAnjFZuk+ylMTzFKUlL/uA1puU7aB8 =36ht -----END PGP SIGNATURE----- --------------enigBB8C1C0414C1251979368B83--