On Tue, 13 May 2008 19:32:23 -0400 (EDT) [EMAIL PROTECTED] wrote: >> No, they won't, and shouldn't. Why pay some idiot corporation an >> extortion fee just because they bribed the browser manufacturers to >> include their certs by default? There is NO added security to having a >> paid for cert. > >In 8.04, CACert is included as a provider. CACert is free. The price bit >is moot. > Yes, but a cert from a valid CA or one you've previously accepted only helps against MITM attacks. It helps not a bit against the rather more common problem of social engineering attacks using cousin domains (e.g. paypal.com and paypa1.com). Cert recognition/validation doesn't tell you anything about how good or bad the distant end is.
The rather larger problem is that the little lock is generally presumed by users to mean much more than it does. Emphasizing cert validity only compounds the problem. As an example, after today I'd be rather more concerned if I didn't get an unknown cert warning from a Debian site than if I did. Scott K -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
