Am 24.02.2012 04:01, schrieb Adam Carter: >>> In all of those cases above, if you allowed the connection it would >>> still be SSL encrypted. You'd be protected against packet sniffers but >>> not against man-in-the-middle attack. > > And the reason someone will man-in-the-middle you, is so they can > sniff your traffic and get passwords or other sensitive information. > This is done by terminating the SSL session from you, and then > creating a new SSL session to the real server. > >>> By switching to http your >>> session occurs in plain-text and is vulnerable to both attacks. >>> >> >> OK, clearly I'm overstating the problem then. I haven't ever had any >> problems logging into password protected, little closed lock in the >> bottom corner web sites so that's not a problem. The real problem I've >> noticed the most is just with these links that arrive as https:// type >> links and Firefox asking me to specifically accept these certificates >> which I don't really want to do. > > Is the problem that accepting the certificate is inconvenient? > >> And I've not had any problems I've noticed by just removing the 's' >> and using the site like a regular site. > > That's ok if you understand that you're turning off the security > features, so it will be possible for an attacker to see your traffic. > >> So, I guess there really isn't any problem with my system. > > Correct - the problem is on the server that you're connecting to is > presenting an untrusted certificate. That could be because its a > server that's impersonating the server you really want to connect to, > or the server's administrator is not doing their job. In rare cases it > could also be that the certificate has been revoked or the CA is no > longer trusted by your web browser (eg the Diginotar mentioned > earlier). >
Let's not forget that whenever you are presented with that warning, it could also be a man-in-the-middle attack. Therefore just clicking on "Accept" on every site is about the stupidest thing you can do. I'm unsure how the warning looks when you have previously accepted a normally untrusted certificate on that site and now it is different (which could be an indication of MITM). I hope there is a big red flashy warning but I doubt it. Regards, Florian Philipp
signature.asc
Description: OpenPGP digital signature
