northrupthebandg...@gmail.com schrieb:
On Monday, April 13, 2015 at 8:26:59 PM UTC-7, ipar...@gmail.com wrote:
* Less scary warnings about self-signed certificates (i.e. treat
HTTPS+selfsigned like we do with HTTP now, and treat HTTP like we do with
HTTPS+selfsigned now); the fact that self-signed HTTPS is treated as less
secure than HTTP is - to put this as politely and gently as possible - a pile
of bovine manure
I am against this. Both are insecure and should be treated as such. How is your
browser supposed to know that gmail.com is intended to serve a self-signed
cert? It's not, and it cannot possibly know it in the general case. Thus it
must be treated as insecure.
Except that one is encrypted, and the other is not. *By logical measure*, the
one that is encrypted but unauthenticated is more secure than the one that is
neither encrypted nor authenticated, and the fact that virtually every
HTTPS-supporting browser assumes the precise opposite is mind-boggling.
Right, the transport is encrypted, but it's completely unverified that
you are accessing the actual machine you wanted to reach (i.e. there is
no domain verification, which is what you need a 3rd-party system for,
the CA system being the usual one in the TLS/web realm). You could just
as much be connected to a MitM with that encrypted transport.
KaiRo
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
