PaulDotCom mailing list archives
SSL Encryption and HTML
From: paul at pauldotcom.com (Paul Asadoorian)
Date: Wed, 29 Oct 2008 06:46:08 -0400
I would advocate for the browsers to issue a warning (error maybe) when a self signed certificate was used to identify a service in addition to the warnings if a certificate was signed by an unknown/untrusted CA.
They do, and users click right through them. However, the firefox and IE warnings have gotten better and harder to click through.
Concerning Extended Validation (EV) certificates, that's just a hokes: Google for "Faking Extended Validation SSL Certificates in Internet Explorer 7" and you should find a PDF document that describes how it works. In essence you can make your own certificates with EV and hit the green light.
Yes, EV has its problems as I eluded to it being only a thin layer. That paper is from last year though and only references IE 7 as being vulnerable. Has this bug been fixed (I did not have the change to validate that it had)? Is it possible to create a fake EV cert that will trick Firefox? Cheers, Paul -- Paul Asadoorian PaulDotCom Enterprises Web: http://pauldotcom.com Phone: 401.829.9552 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 257 bytes Desc: OpenPGP digital signature Url : http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20081029/98587bb5/attachment.pgp
Current thread:
- SSL Encryption and HTML Cody Ray (Oct 28)
- SSL Encryption and HTML Blake Hartstein (Oct 28)
- SSL Encryption and HTML matt donovan (Oct 28)
- SSL Encryption and HTML Nick Baronian (Oct 28)
- SSL Encryption and HTML matt donovan (Oct 28)
- SSL Encryption and HTML Paul Asadoorian (Oct 28)
- SSL Encryption and HTML James Costello (Oct 28)
- SSL Encryption and HTML Raffi Jamgotchian (Oct 28)
- SSL Encryption and HTML Oscar Koeroo (Oct 29)
- SSL Encryption and HTML Paul Asadoorian (Oct 29)
- SSL Encryption and HTML Jim Kelly (Oct 29)
- SSL Encryption and HTML James Costello (Oct 28)
- SSL Encryption and HTML Chris Frederick (Oct 29)
- <Possible follow-ups>
- SSL Encryption and HTML David A. Gershman (Oct 28)
- SSL Encryption and HTML Ken Asher (Oct 28)
- SSL Encryption and HTML Blake Hartstein (Oct 28)