Comments on: Firefox 3 vs secure certificates and authorities http://www.jpuddy.net/2008/07/20/firefox-3-vs-secure-certificates-and-authorities/ Home of DJ and technophile Jonathan Puddle (aka DJ J Puddy) Sun, 23 Nov 2008 10:04:08 +0000 http://wordpress.org/?v=2.6.2 By: Jonathan Puddle http://www.jpuddy.net/2008/07/20/firefox-3-vs-secure-certificates-and-authorities/#comment-3843 Jonathan Puddle Mon, 08 Sep 2008 07:10:54 +0000 http://www.jpuddy.net/?p=588#comment-3843 Thank you Peter, THAT is my point exactly! Keep spreading the word. Thank you Peter, THAT is my point exactly! Keep spreading the word.

]]> By: Peter http://www.jpuddy.net/2008/07/20/firefox-3-vs-secure-certificates-and-authorities/#comment-3842 Peter Sun, 07 Sep 2008 03:01:45 +0000 http://www.jpuddy.net/?p=588#comment-3842 I absolutely concur on the unreasonableness of the certificate warnings. What they really should say is, "Your data is encrypted; only the person you are sending your data to will be able to read it. However, because the issuer of the certificate isn't trusted, we have no way of verifying the identity of the person receiving the data." Mike and Kljuka: if you're sending sensitive data, then obviously you want a certificate issued by a legit authority. What's STUPID, however, is that Firefox makes it seem like sites using a non-trusted CA for their SSL are LESS SECURE than sites with no SSL. That is false, and if you're stating otherwise it's because Verisign or someone similar is paying you to say so (or you're a flaming idiot). As a coda, I'd note that certificates issues by the UNITED STATES GOVERNMENT and the DEPARTMENT OF DEFENSE are considered non-secure and non-trusted by Firefox because DOD isn't in the habit of paying off browser companies to trust their root certificates. I absolutely concur on the unreasonableness of the certificate warnings. What they really should say is, “Your data is encrypted; only the person you are sending your data to will be able to read it. However, because the issuer of the certificate isn’t trusted, we have no way of verifying the identity of the person receiving the data.”

Mike and Kljuka: if you’re sending sensitive data, then obviously you want a certificate issued by a legit authority. What’s STUPID, however, is that Firefox makes it seem like sites using a non-trusted CA for their SSL are LESS SECURE than sites with no SSL. That is false, and if you’re stating otherwise it’s because Verisign or someone similar is paying you to say so (or you’re a flaming idiot).

As a coda, I’d note that certificates issues by the UNITED STATES GOVERNMENT and the DEPARTMENT OF DEFENSE are considered non-secure and non-trusted by Firefox because DOD isn’t in the habit of paying off browser companies to trust their root certificates.

]]> By: Kljuka http://www.jpuddy.net/2008/07/20/firefox-3-vs-secure-certificates-and-authorities/#comment-3840 Kljuka Sat, 23 Aug 2008 22:04:45 +0000 http://www.jpuddy.net/?p=588#comment-3840 I can't agree with some replies. If you want to send some sensitive data to example.com, you want to be sure, you're sending the data ONLY to example.com. If you're not using CA, you might be sending data to hacker_a.com, which is forwarding all data to example.com (so called "man in the middle attack") and you won't see any difference. CA only makes sure, you're really sending the data directly and only to example.com. And it's up to you, to choose which sensitive data example.com should have possession of (that is usually the main concern in real life). I can’t agree with some replies.

If you want to send some sensitive data to example.com, you want to be sure, you’re sending the data ONLY to example.com.
If you’re not using CA, you might be sending data to hacker_a.com, which is forwarding all data to example.com (so called “man in the middle attack”) and you won’t see any difference.
CA only makes sure, you’re really sending the data directly and only to example.com.
And it’s up to you, to choose which sensitive data example.com should have possession of (that is usually the main concern in real life).

]]> By: Jonathan Puddle http://www.jpuddy.net/2008/07/20/firefox-3-vs-secure-certificates-and-authorities/#comment-3837 Jonathan Puddle Thu, 31 Jul 2008 11:19:09 +0000 http://www.jpuddy.net/?p=588#comment-3837 Because at least only the person you're sending it to can see it. Granted, with self-signed certificates you're not provided a guarantee of the signer, but even if you've fallen pray to an attack and you're sending your precious details to a malicious individual, the fact remains that only the malicious individual can see your information. Clearly that's a problem, so identification is important, but if Verisign and the other CAs ever make mistakes, which they clearly do, then we're lulled into a false sense of security. The point I'm making is, the internet would be far more secure if everyone used certificates, self signed or CA signed. If there were open CAs (there are couple now) that were free or reasonably priced, then we can do away with the monopoly help by the big CAs, who aren't doing a better job than anyone else. It seems to me that if Firefox and IE really cared about security, they should throw an ugly warning on EVERY page that isn't HTTPS. Because there you're truly unprotected. Because at least only the person you’re sending it to can see it. Granted, with self-signed certificates you’re not provided a guarantee of the signer, but even if you’ve fallen pray to an attack and you’re sending your precious details to a malicious individual, the fact remains that only the malicious individual can see your information. Clearly that’s a problem, so identification is important, but if Verisign and the other CAs ever make mistakes, which they clearly do, then we’re lulled into a false sense of security.

The point I’m making is, the internet would be far more secure if everyone used certificates, self signed or CA signed. If there were open CAs (there are couple now) that were free or reasonably priced, then we can do away with the monopoly help by the big CAs, who aren’t doing a better job than anyone else.

It seems to me that if Firefox and IE really cared about security, they should throw an ugly warning on EVERY page that isn’t HTTPS. Because there you’re truly unprotected.

]]> By: mike http://www.jpuddy.net/2008/07/20/firefox-3-vs-secure-certificates-and-authorities/#comment-3836 mike Wed, 30 Jul 2008 22:40:57 +0000 http://www.jpuddy.net/?p=588#comment-3836 "Remember, their certificates are no more secure than those made yourself, the issue is pure marketing..." This is simply incorrect. Certificates do not just offer encryption over the connection, they also offer identity verification. The whole point of a CA (Certificate Authority) is that you can trust it to verify the identity of the owner of any issued certificates (though this system is not perfect either). Self signed certificates do offer encryption of the data, but what is the point of encrypting the data if you don't know who you are sending it to? “Remember, their certificates are no more secure than those made yourself, the issue is pure marketing…”

This is simply incorrect. Certificates do not just offer encryption over the connection, they also offer identity verification. The whole point of a CA (Certificate Authority) is that you can trust it to verify the identity of the owner of any issued certificates (though this system is not perfect either). Self signed certificates do offer encryption of the data, but what is the point of encrypting the data if you don’t know who you are sending it to?

]]> By: Jonathan Puddle http://www.jpuddy.net/2008/07/20/firefox-3-vs-secure-certificates-and-authorities/#comment-3835 Jonathan Puddle Wed, 23 Jul 2008 08:14:32 +0000 http://www.jpuddy.net/?p=588#comment-3835 Thing is, I don't want to have to augment my browser to make it more usable. Right now I've got no flash tabs or PDF tabs, and are running at 233mb (which admittedly, isn't too bad in this case)... but still. I don't think the issue is fully resolved, and I'd rather complain about it to hopefully get more attention from Mozilla... Thing is, I don’t want to have to augment my browser to make it more usable. Right now I’ve got no flash tabs or PDF tabs, and are running at 233mb (which admittedly, isn’t too bad in this case)… but still. I don’t think the issue is fully resolved, and I’d rather complain about it to hopefully get more attention from Mozilla…

]]> By: Steve http://www.jpuddy.net/2008/07/20/firefox-3-vs-secure-certificates-and-authorities/#comment-3834 Steve Tue, 22 Jul 2008 17:19:37 +0000 http://www.jpuddy.net/?p=588#comment-3834 I don't know about the whole encryption issue, but you might want to dump Adobe Reader and get Foxit PDF Reader. I am not seeing the "memory leak" issues, and I think I have traced it somewhat to that and to Flash (which is why I use Flashblock). I don’t know about the whole encryption issue, but you might want to dump Adobe Reader and get Foxit PDF Reader. I am not seeing the “memory leak” issues, and I think I have traced it somewhat to that and to Flash (which is why I use Flashblock).

]]>