Jan Egil Kristiansen wrote:
When I open https://www.londonstockexchange.co.uk/ in FireFox, I get a
warning that the certificate is issued to www.londonstockexchange.com.
But if I click OK, my lower right corneer displays a padlock and a claim
that www.londonstockexchange.co.uk is "signed by VeriSign Trust Network".
That's not true. The connection is encrypted, but it is NOT signed by
VeriSign, and thus open to man-in-the-middle attack.
I was responsible for clicking OK, but my click is not binding for
VeriSign.
I tend to think that https connections with domain name mismatches
should not display the padlock at all, because the encryption can't be
trusted.
My click indicated that I was willing to view the site without signature
and encryption, and the browser should remind me of that decision.
Anyone agree? Disagree?
--
Nelson B
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
