From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1S0jlq-0003Pg-Av for garchives@archives.gentoo.org; Fri, 24 Feb 2012 01:16:26 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2F3CAE0B81; Fri, 24 Feb 2012 01:16:13 +0000 (UTC) Received: from mail-ww0-f53.google.com (mail-ww0-f53.google.com [74.125.82.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 5CAE8E0ACE for ; Fri, 24 Feb 2012 01:14:50 +0000 (UTC) Received: by wgbdr12 with SMTP id dr12so1566879wgb.10 for ; Thu, 23 Feb 2012 17:14:49 -0800 (PST) Received-SPF: pass (google.com: domain of markknecht@gmail.com designates 10.180.86.198 as permitted sender) client-ip=10.180.86.198; Authentication-Results: mr.google.com; spf=pass (google.com: domain of markknecht@gmail.com designates 10.180.86.198 as permitted sender) smtp.mail=markknecht@gmail.com; dkim=pass header.i=markknecht@gmail.com Received: from mr.google.com ([10.180.86.198]) by 10.180.86.198 with SMTP id r6mr285944wiz.22.1330046089648 (num_hops = 1); Thu, 23 Feb 2012 17:14:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=WEKwGkfMcjPwFghtO6/zbgp1/E196AM1nG8Y3+RzzP0=; b=fwrStcfm79j0moZ1DPcWMj6Y+B62Ojrkys4GZJgsR1zHKQwT4byYrlFg15dj2TpTCk jS6xUGDMNwPxn1xxB4yRrJq+qc8wfinxcFfG/HIObrJW/vnKRgECBh+vjaXGWP7Z7o+3 9ZyzzzQrpHqRjwiq9rJg6YVwsKtaDOzP2kUW0= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.180.86.198 with SMTP id r6mr238549wiz.22.1330046089596; Thu, 23 Feb 2012 17:14:49 -0800 (PST) Received: by 10.223.4.154 with HTTP; Thu, 23 Feb 2012 17:14:49 -0800 (PST) In-Reply-To: References: Date: Thu, 23 Feb 2012 17:14:49 -0800 Message-ID: Subject: Re: [gentoo-user] This Connection is Untrusted: WAS: Firefox-10.0.1 fails to compile on x86 From: Mark Knecht To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 X-Archives-Salt: b7963c9d-0e3b-4bd3-a060-d97e21c4f563 X-Archives-Hash: c1c2f17c26ba02cef0d1a81fade1c349 On Thu, Feb 23, 2012 at 3:28 PM, Paul Hartman wrote: > On Thu, Feb 23, 2012 at 4:59 PM, Mark Knecht wrote: >> What is it about my systems wherein every one of these https links >> case my systems to barf with a "This Connection is Untrusted" message. >> If I remove the 's' then things work fine. > > https encompasses two basic functions: encryption and trust. > > In this case the hostname in the SSL certificate installed on that > server does not match the hostname in the URL, so it does not trust > it. If they matched, it would then check to see if it was expired. If > it was not expired, it would then check to see if it was signed by a > CA that you trust (browsers come with a set of trusted CAs already). > If it was self-signed or signed by an untrusted CA (like DigiNotar...) > you'd get a warning as well. > > If literally every https link is untrusted, maybe you have an issue > with the installation of certificates on your system, or have chosen > not to trust any CAs. > > Commercial websites, banks, stores, etc. should always have valid and > trusted certificates. In OSS world, most people don't have the need or > money to pay for a certificate when all they're really interested in > is encrypting the connection. There are also servers that are > listening for https connections but aren't advertised as such... the > mozilla website is probably one of those. Using plug-ins like > HTTPS-everywhere will try to use https even on sites that don't use it > by default. > > In all of those cases above, if you allowed the connection it would > still be SSL encrypted. You'd be protected against packet sniffers but > not against man-in-the-middle attack. By switching to http your > session occurs in plain-text and is vulnerable to both attacks. > OK, clearly I'm overstating the problem then. I haven't ever had any problems logging into password protected, little closed lock in the bottom corner web sites so that's not a problem. The real problem I've noticed the most is just with these links that arrive as https:// type links and Firefox asking me to specifically accept these certificates which I don't really want to do. And I've not had any problems I've noticed by just removing the 's' and using the site like a regular site. So, I guess there really isn't any problem with my system. I appreciate the info folks. As always, thanks! Cheers, Mark