On Thu, 2008-05-08 at 00:45 +0200, Martin Pitt wrote: > This doesn't have anything to do with power users/n00bs. An invalid > SSL certificate isn't any better or worse depending on the type of > user. If a site sets up SSL with an invalid certificate, then this > buys the user nothing but a false sense of security.
Sorry. What *is* an invalid certificate? A certificate that does not carry the fully-qualified host name in its Common Name? If this is your view, I humbly beg to differ. An invalid certificate is a certificate that is outside its timeframe (not valid before/after), or that does not verify against the root (all the way through the chain), or that is used outside its specified capabilities (but *this* one is oh so very tricky...), for example. But not matching the FQHN does *NOT* make a certificate invalid. At all. Even more because there is no standard requiring it. Well, there is the common use, but it is common use also for most users to accept any certificate received on the wire. Common use does not cut it. > The proper approach to this IMHO is to make adding exceptions in all > web browsers (especially IE) as hard and explicit as in Firefox 3. > This would perhaps force site admins to get a grip and stop ignoring > broken SSL certs, once they get a flood of complaints. I fully agree. Nevertheless, we cannot be more royal than the king. I myself had one case where a generic certificate installed by a software vendor (so that only HTTPS would be feasible from the beginning) was flatly and utterly refused by epiphany-browser (wrong usage). Firefox, at least swallowed it after I added the exception. Here the point is: we do not even agree with ourselves how to deal with certificates, and we expect users to be happy? > > Is there any key to toogle off this new feature? > > I *so much* hope that there isn't. People should really start to > understand that this is a SERIOUS error and shouldn't at all be > considered 'normal'. 100% with you. But it all has to start with education, not just forcing a new feature down the user's throat. For most casual users, this education is -- from my own experience with casual and theoretically technical users -- not easy. And I do understand X509 & friends. On this point, I wonder if we are just making it a bit harder what most users have been doing for ever. All we will get is grumbling, *unless* we also provide clear, short, nice, reasonable, explanations. Ah well. ..hggdh..
signature.asc
Description: This is a digitally signed message part
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
