On Wednesday, 14 August 2013 12:21:15 UTC+3, Kevin Chadwick wrote: > > This is because the cheapest CAs do so bad work that the > > security is very close to self signed cert. > > Please show me evidence of startssl being less secure than some of the > big CAs that have had major incidents. You only need to send them a csr > too.
Where did I claim that startssl is a problem? My point was that a cert issued by cheapest CA is technically equally valid to one issued by CA with highest prices and standards. The cheapest CAs simply *cannot do real validation* for the money they get and as result, the value of *all* CA issued certs are lowered because browsers do not make any difference between cheap CA and high quality CA (assuming one does exists). The EV cert stuff is an attempt to fix this, but that's only a political change. Technically an EV cert only has one extra extension flag which is always marked as "Not Critical". *Any* CA can sign such a cert if they want. > If someone can MITM they can almost certainly defeat your browser or > flash or vlc plugin and then your ssl means nothing, even more so after > a bank login and so you have one time passwords and alerts. If an attacker can successfully implement MitM attack while you're entering your bank's one time password, that one time password provides no additional safety. The MitM attacker will simply show form requesting the one time password, and after the correct one time password has been entered, the attacker will use given password to initiate his own session. For extra points, attacker can return "incorrect password" message to the real user and request additional one time passwords as required. > To me you just sound like a profiteer for CAs? English is not my native language, so I'm not sure what you mean with word "profiteer" in this context. Are you asking if I consider current CA system good? Not by a long shot. I believe projects such as http://perspectives-project.org/ and http://convergence.io/ are the future. I'm trying to argue that current non-EV certification process is no good and self-signed certificates can be used to provide equal security in practice. Then we can discuss if browsers should display some kind of "secure" indicators for HTTPS connections with non-EV certs/self-signed certificates. I believe that the answer should be "no" and this is the "neutral HTTPS" which has been discussed in this thread. I believe that the current EV certificates have roughly equal value to late 1990s / early 2000s normal SSL certificates; not very good but still better than a self-signed certificate. Absolutely nothing compared to verifying the key fingerprint by yourself. > In fact there is far more evidence that the GREEN EV crts pose more of > a false sense of security than 'normal' domain validating certs! Hence my wish that even EV certs displayed indicators for "encrypted connection" instead of "secure site". I'm not good enough interface designer to suggest a good method for that difference. However, if we want to really improve security of services the users need to understand this difference. -- Mikko _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
