From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1S0i84-0005Bd-DI for garchives@archives.gentoo.org; Thu, 23 Feb 2012 23:31:21 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9C7A3E0B91; Thu, 23 Feb 2012 23:30:56 +0000 (UTC) Received: from mail-lpp01m010-f53.google.com (mail-lpp01m010-f53.google.com [209.85.215.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 2CA9BE0AC3 for ; Thu, 23 Feb 2012 23:29:10 +0000 (UTC) Received: by lahd3 with SMTP id d3so2402568lah.40 for ; Thu, 23 Feb 2012 15:29:10 -0800 (PST) Received-SPF: pass (google.com: domain of paul.hartman@gmail.com designates 10.112.36.103 as permitted sender) client-ip=10.112.36.103; Authentication-Results: mr.google.com; spf=pass (google.com: domain of paul.hartman@gmail.com designates 10.112.36.103 as permitted sender) smtp.mail=paul.hartman@gmail.com; dkim=pass header.i=paul.hartman@gmail.com Received: from mr.google.com ([10.112.36.103]) by 10.112.36.103 with SMTP id p7mr1377202lbj.91.1330039750269 (num_hops = 1); Thu, 23 Feb 2012 15:29:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:content-type; bh=40P6AIQsuMsyjHsFc8y3phK1MplIhGt46zXIAcGDdVM=; b=dFwWixmGUhN+vUR5kv9+VEd0n8DYJ2nqWcr2eCVQQXZlqxCkSD21bEA1dZpgGd8805 QZIUxzkgXm+wuR4PRyiT4bqBjhH5HMrbA2ymqmTkp2wscDWdWNcySJUM2JLRhak+mU8Q rK+ViqWIRiczn6cn2+URyB9Nke79jChiQSI1I= Received: by 10.112.36.103 with SMTP id p7mr1156883lbj.91.1330039750165; Thu, 23 Feb 2012 15:29:10 -0800 (PST) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Sender: paul.hartman@gmail.com Received: by 10.112.27.131 with HTTP; Thu, 23 Feb 2012 15:28:49 -0800 (PST) In-Reply-To: References: From: Paul Hartman Date: Thu, 23 Feb 2012 17:28:49 -0600 X-Google-Sender-Auth: 01nh0pTziBiQPhstr_q5JlF5JXs Message-ID: Subject: Re: [gentoo-user] This Connection is Untrusted: WAS: Firefox-10.0.1 fails to compile on x86 To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 X-Archives-Salt: 64d670f3-b235-48e5-9de1-4116b421d521 X-Archives-Hash: c52dd62a57f03d32916cab9fbbf36733 On Thu, Feb 23, 2012 at 4:59 PM, Mark Knecht wrote: > What is it about my systems wherein every one of these https links > case my systems to barf with a "This Connection is Untrusted" message. > If I remove the 's' then things work fine. https encompasses two basic functions: encryption and trust. In this case the hostname in the SSL certificate installed on that server does not match the hostname in the URL, so it does not trust it. If they matched, it would then check to see if it was expired. If it was not expired, it would then check to see if it was signed by a CA that you trust (browsers come with a set of trusted CAs already). If it was self-signed or signed by an untrusted CA (like DigiNotar...) you'd get a warning as well. If literally every https link is untrusted, maybe you have an issue with the installation of certificates on your system, or have chosen not to trust any CAs. Commercial websites, banks, stores, etc. should always have valid and trusted certificates. In OSS world, most people don't have the need or money to pay for a certificate when all they're really interested in is encrypting the connection. There are also servers that are listening for https connections but aren't advertised as such... the mozilla website is probably one of those. Using plug-ins like HTTPS-everywhere will try to use https even on sites that don't use it by default. In all of those cases above, if you allowed the connection it would still be SSL encrypted. You'd be protected against packet sniffers but not against man-in-the-middle attack. By switching to http your session occurs in plain-text and is vulnerable to both attacks.