Re: Question for Nelson Bolyard

Sat, 25 Aug 2007 13:58:59 -0700 

Jeremy Morton wrote:
> Nelson B wrote:
>> http is vulnerable to passive attack ("sniffers").
>> https with self-signed certs is not vulnerable to passive attack.
>> That is the only essential difference.
>> Both are vulnerable to active attack.
>> Both are *trivially* attacked by MITM attackers.
>>     
>
> Right, I realise all of that.
>
> I guess my question is whether you have any reliable statistics as to 
> what kind of number of passive attackers there are out there vs active 
> attackers.  Are there literally virtually no passive attackers?  If so, 
> not distinguishing HTTPS w/ self-signed in the chrome would make sense. 
>   However if there are a significant number, that 'essential difference' 
> is still important, no?
Jeremy, I think one of the problems with self-signed certificates is 
what I call "warning-popup-click-away-effect". People simply got used to 
click through the warnings, which in some way deflated the SSL 
authentication model further (speaking here only about domain validated 
authentication - identity or organization validation is yet another 
issue). Would the casual user have the means and knowledge to differ 
between self-signed and CA issued certificates - like you and me most 
likely do, the problem wouldn't be such. However this is not the case 
and therefore the steps taken by Mozilla I guess.

Considering the effect it will have on the millions of casual users - it 
dwarfs the negative effect it has on web site owners who prefered to use 
self-signed certificates. But I invite you to read an article I wrote 
not long ago at https://blog.startcom.org/?p=33 which gives some heads 
up. Certainly nothing is guaranteed forever, but provides an alternative 
to self-signed certificates today. Just my two cents...

-- 
Regards 
 
Signer:         Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber:         [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog:   Join the Revolution! <http://blog.startcom.org>
Phone:          +1.213.341.0390
 

_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to