On 02/24/12 02:45, Florian Philipp wrote: > > Let's not forget that whenever you are presented with that warning, it > could also be a man-in-the-middle attack. Therefore just clicking on > "Accept" on every site is about the stupidest thing you can do. > > I'm unsure how the warning looks when you have previously accepted a > normally untrusted certificate on that site and now it is different > (which could be an indication of MITM). I hope there is a big red flashy > warning but I doubt it. >
Not if the certificate is "valid." The only sane way to handle certificates with parties you've never met (i.e. every website) is the SSH method: you accept that, no matter what, there's always going to be one opportunity for a man-in-the-middle attack. The first time you connect, you save the remote server's certificate. If it changes, freak out. The certificate patrol extension does this: http://patrol.psyced.org/ With it, self-signed certificates become more secure than CA-signed ones.
