On Thu, May 8, 2008 at 4:17 PM, Martin Pitt <[EMAIL PROTECTED]> wrote: > > Right, but also self-signed certificates (since they prove nothing).
They prove that you are talking to the same server you are talking to when you first logged on. They also are sufficient to prevent passive wiretapping attacks. > I don't consider it a new feature, but a better UI. Firefox has always > complained about invalid certificates, but until version 2 it was just > the well-known 'SSL yadayada cannot be verified mumblemumble click > here to shut me up' popup dialog, and really everyone just clicked > this away, right? Security click-through dialogs should be abolished, > since they achieve nothing and are really just an excuse for the > software provider: "I know it is unsafe, and cannot give you something > better. Of course you can't know either, but at least I can make it > your problem now." However http is more unsafe than an https connection on a self-signed cert, and we don't even have the token warning on http webpages. AFAICT This "improvement" only helps users who realize that the "s" in https is meant to mean secure but somehow don't realise that a big clickthrough popup warning that the cert is invalid means that the site is in some sense less secure. I guess it could vaguely help users who don't know what the "s" means but have a https: address stored on their machine from some legitimate source, but have never visited the site so they don't have the correct cert yet. -- John C. McCabe-Dansted PhD Student University of Western Australia
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
