Derek Martin wrote: > On Mon, Nov 30, 2015 at 09:48:48PM +0100, Matthias Apitz wrote: > > > > Can you put it soemwhere where only HTTP is onvolved. SSL claims the > > > > page as insecure. > > > > > > It only claims that the certificate the server is using is > > > self-signed, meaning that it can't be validated as belonging to anyone > > > in particular by the big certificate trusts. If you're willing to > > > look at it without SSL entirely, then who cares if the cert doesn't > > > validate? This is just not interesting. > > > > Maybe for you (Derek Martin) it is not, but for me. > > OK, fair enough, but then can you please explain what the issue is? > Can you explain how a site serving SSL with a self-signed certificate > is the slightest bit less secure than the same one not using SSL at > all? > > > It is already an issue if a posted URL of http://... is redirected > > to some SSL URL of untrusted certifications. > > As for the redirect, it's to the same hostname, using a more secure > version of the same protocol, albeit with an unverifiable > certificate--but you couldn't verify the server's identity before > either so there's no difference whatsoever in that regard. How is > UPGRADING the security a problem?
it's not just self-signed. that would be fine. it's also for a different hostname (git.rmz.io, not rmz.io) and it's expired (22/3/2015). hopefully, they are the reasons that the browser labelled it as insecure. but i agree that it's unimportant for the purposes of this discussion. it's not like that jpg is asking for a password for anything. it's just a jpg. cheers, raf
