[TriLUG] CAcert meeting -- how to prepare
Michael Tharp
gxti at partiallystapled.com
Fri Feb 6 23:22:59 EST 2009
Alan Porter wrote:
> * Actually, up until FF3, these were the suckiest of them all,
> because the lock icon made you THINK they were secure, when
> really they weren't.
Firefox has, as have all browsers for the past decade and then some,
always complained about self-sign certificates and unknown CAs. This is
a fundamental component of PKI. What *has* changed is that you now have
to click 5 buttons (or 6 on a POST) instead of 1, which is quite
effective in preventing grandmothers from ever using a site protected by
such a certificate.
Additionally, sites protected by self-sign certificates are still
secure, for some definition of the word -- the certificates themselves
have nothing to do with the cryptography that protects the secure
channel. The problem is that you have no idea *who* the secure channel
is to unless you can verify the certificate either normally (by a
signature from a trusted authority) or through another channel (a SHA-1
fingerprint written down on a napkin).
-- m. tharp
More information about the TriLUG
mailing list