On Wed, Sep 03, 2008 at 20:05:15 +0100, Alan Cox <alan@xxxxxxxxxxxxxxxxxxx> wrote: > > This is a misleading warning that the Firefox developers have decided to use. > > I wouldn't call it misleading. Firefox accepts a set of signing agencies > that do at least the basic authority checking business expects - > paperwork, address, check against government records stuff. It doesn't by > default accept others as they don't do those checks. Well they don't supply the same warning for http connections which have exactly the same issues. > > > It is really just a warning and if you don't want to see them in the future, > > you can save the cert and you won't see them any more. I get these a lot since > > I have deleted all of the delivered CA's because I have no special trust > > relationship to them. I either permanently or temporarily OK certs for sites > > when using https connections. > > Your choice. However if you deleted the delivered CA signatures and don't > check against them they you have no way of knowing if you are talking to > a DNS spoofed site that is relaying. I save the certs for sites I plan on revisting. I get a warning when the certs change and depending how I am using the site I can take extra care when that happens. I'd be more worried about my ISP messing with my traffic for marketting related reasons than that someone has targetted my dns cache successfully. Certs don't solve the real problem in any case. Just because you are visiting a site with a valid cert that matches a domain name, doesn't mean you are visting the site you expect to be. If you are really worried about that you need to take extra measures and Firefox doesn't provide a good way to do that. (It should really warn you when it sees a cert you don't have saved and allow you to save it or not. The only way to do that now is to delete all of the delivered CA certs.) > > > My immediate thought was that if ScientificLinux expect me > > > to jump through hoops to view their web-page > > > then they are unlikely to place ease of use > > > high on their list of priorities - > > > > The issue is really Firefox's fault, not Scientific Linux's. > > I would disagree. Firefox doesn't want to trust untrustable CA's. > Scientific Linux doesn't want to have to pay out for commercial > certificates. > > 'Fault' is a curious word to use for that. Both are doing valid sensible > things. We do disagree. I think it is more reasonable to treat sites with self signed certs where the CA is not in Firefox's list the same as sites that are using http insteasd of https (barring mismatched or expired certs). -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
