undefined | Better HN

0 pointsicebraining11y ago0 comments

Worse in the sense that you expect an HTTPS connection to be secure, while you don't (or shouldn't!) expect an HTTP connection to be.

0 comments

Karunamon11y ago

Then treat a self signed HTTPS cert as equivalent to an unsecured HTTP connection and be done with it.

There's absolutely no reason that the most common failure modes (expiration, bare domain vs www., self signed) presents warnings that Something Fishy Is Going On®, when 9999/10000 times, there is not.

Smoke coming from my neighbor's yard in the summer might be a fire, but in all likelihood, they're running a barbecue grill. The SSL equivalent would be calling the fire department every time someone puts some steaks on.

icebrainingOP11y ago

You can't treat a self-signed HTTPS cert as equivalent, because it has "https" in the URL, which people use to distinguish a safe connection from an unsafe one.

Karunamon11y ago

In a graphical browser as used by most people? Sure you can. Chrome's method of striking out the https bit and turning it red is quite evocative.

What I take issue with here is the "HOLY CRAP, STOP EVERYTHING!" nature of the warnings as thrown by browsers nowadays. The severity of the warning is not proportional to the likelihood of there being something actually wrong, hence crying wolf. ("Yes, I know this is a self signed cert, because it's mine, now screw off and load the page I asked you to, thanks.") IMAO, there is zero reason for an expired certificate to throw this kind of warning.

And there's an argument that there's a good reason for that, but that reason ignores the fact that users have been steadily conditioned to click past the warnings, and most of the time, to no ill effect.

Apparently enough people fail to make the connection that there are plans to apply the same thing to plain http connections sometime in the near future.

Zikes11y ago

In 2010 China MITM'd 15% of the entire internet[0]. Last month, a Chinese CA issued an unauthorized certificate for the google.com domain[1].

Invalid certificates _need_ to be treated as a major security risk, and an expired certificate is still invalid. The only way the system works is via a network of trust, and if I'm an issuer of certificates I would expect that if I said a certificate I issued is expired, it would be treated as such.

Yes it sucks that managing the certificates is difficult and expensive, and it's great that Mozilla is doing something about that, but the technical foundations on which the current certificate system is built are in place for very good reasons. Encrypting traffic doesn't do any good when you're encrypting on the middleman's terms, and the only way to make sure that's not happening is by verifying the identity of the server you're talking to.

[0] http://www.eweek.com/c/a/Security/15-Percent-of-Internet-Tra...

[1] http://thenextweb.com/insider/2015/04/02/google-to-drop-chin...

1 more reply

j / k navigate · click thread line to collapse

0 comments

Karunamon11y ago

Then treat a self signed HTTPS cert as equivalent to an unsecured HTTP connection and be done with it.

icebrainingOP11y ago

You can't treat a self-signed HTTPS cert as equivalent, because it has "https" in the URL, which people use to distinguish a safe connection from an unsafe one.

Karunamon11y ago

In a graphical browser as used by most people? Sure you can. Chrome's method of striking out the https bit and turning it red is quite evocative.

Apparently enough people fail to make the connection that there are plans to apply the same thing to plain http connections sometime in the near future.

Zikes11y ago

In 2010 China MITM'd 15% of the entire internet[0]. Last month, a Chinese CA issued an unauthorized certificate for the google.com domain[1].

[0] http://www.eweek.com/c/a/Security/15-Percent-of-Internet-Tra...

[1] http://thenextweb.com/insider/2015/04/02/google-to-drop-chin...

1 more reply

j / k navigate · click thread line to collapse