>> In all of those cases above, if you allowed the connection it would >> still be SSL encrypted. You'd be protected against packet sniffers but >> not against man-in-the-middle attack.
And the reason someone will man-in-the-middle you, is so they can sniff your traffic and get passwords or other sensitive information. This is done by terminating the SSL session from you, and then creating a new SSL session to the real server. >> By switching to http your >> session occurs in plain-text and is vulnerable to both attacks. >> > > OK, clearly I'm overstating the problem then. I haven't ever had any > problems logging into password protected, little closed lock in the > bottom corner web sites so that's not a problem. The real problem I've > noticed the most is just with these links that arrive as https:// type > links and Firefox asking me to specifically accept these certificates > which I don't really want to do. Is the problem that accepting the certificate is inconvenient? > And I've not had any problems I've noticed by just removing the 's' > and using the site like a regular site. That's ok if you understand that you're turning off the security features, so it will be possible for an attacker to see your traffic. > So, I guess there really isn't any problem with my system. Correct - the problem is on the server that you're connecting to is presenting an untrusted certificate. That could be because its a server that's impersonating the server you really want to connect to, or the server's administrator is not doing their job. In rare cases it could also be that the certificate has been revoked or the CA is no longer trusted by your web browser (eg the Diginotar mentioned earlier).
