Hacker News new | ask | show | jobs
by timg 6961 days ago
That's terrible in my book. What if you are running an entertainment site with lots of subdomains and for every single subdomain the user gets harassed with this question?

These certificates have nothing at all to do with "authority." Just think about it, what exactly do they prove?

Why should you only be allowed to speak in confidence with well identified parties (not that verisign remotely attempts to identify anyone)? Think carefully.

Related: http://www.schneier.com/blog/archives/2005/12/new_phishing_tr.html
2 comments
mdakin 6961 days ago
The SSL software in your web browser uses the information from the certificate authority to mathematically PROVE a man in the middle attack is NOT happening.

Anytime you use a self-signed certificate [edit] without manually verifying the fingerprint of certificate [/edit] ANYONE who controls the network hardware between you and the second party can eavesdrop and even tamper with the communication stream. Neither you nor the second party has any way of knowing what's going on. That's why we NEED a warning every time we encounter a self-signed certificate.

The default behavior of the browsers is fine and we're lucky that the design allows us to fool around with self-signed certificates at all.

EDIT: If you manually verify the fingerprint of the self-signed certificate each time you connect you can be sure your connection is secure. But still the UI makes sense (even more sense).

link
timg 6961 days ago
"""Anytime you use a self-signed certificate ANYONE who controls the network hardware between you and the second party can eavesdrop and even tamper with the communication stream. Neither you nor the second party has any way of knowing what's going on. That's why we NEED a warning every time we encounter a self-signed certificate."""

I believe that you misunderstand the technology.

link
mdakin 6961 days ago
I'm by no means an expert on crypto but I think I understand the fundamentals. If something I said is incorrect please point it out specifically. See [1] for a more complete explanation of my point.

[1] http://en.wikipedia.org/wiki/MITM

link
lupin_sansei 6961 days ago
Doesn't the browser warn you by default for self-signed certificates? If so your second paragraph is incorrect isn't? You would get a warning every time you encounter a self signed certificate.
link
mdakin 6961 days ago
The language in my post is a bit sloppy and for for that I apologize. As I imply in the second paragraph and explain in the edit you do get a warning BUT unless you then pull out your paper copy of the fingerprint and manually compare the fingerprint of the certificate with the one you have on file you do not know that your connection is secure. When is the last time anyone took that step? We need CAs to automate this process for us.
link
lupin_sansei 6961 days ago
The Authority provides a way to check the address of a domain name holder and other useful information. It makes it a lot harder for someone to create a spoof domain like https://www.paypa1.com and for Paypal's real address to be displayed in the certificate when you click on it. Basically Verisign and co stake their reputation on checking the details of the certificate applicant.

I don't see what's terrible about browser makers trusting certain authorities. It's useful to the user, and there's more than one authority so less chance of abuse. The only alternative is no authorities, or a government bureaucracy issuing them. I don't see how either of those 2 options is superior to the current situation.

There's nothing stopping you creating a free Certification Authority, it's just that you'd have to persuade the browser makers to trust you.

link
timg 6961 days ago
"""I don't see what's terrible about browser makers trusting certain authorities"""

Because the authorities trust anyone who pays them 20 bucks. THEN, the users trust any site where the address bar turns yellow. Do you see the break in the chain here?

link
lupin_sansei 6961 days ago
You're changing your argument, Your initial point was that encrypted HTTP should be free. It is.

Then you switched to say that you can't really trust Authorities. Maybe so, but the current setup seems better to me than the alternatives.

link
timg 6961 days ago
Read Schneier's take on it that I linked to. He agrees that this false sense of positive identification can be WORSE than none at all. And that has to do with the warnings that the browser gives, not the matching up of the domain names.

Second, my argument has always been that the browser should not harass the user of a site that has not taken part in this PHONY identification procedure.

Heck, even google adsense has seen through this scam and not bothered to pay the fee.

Edit: To clarify, most users equivocate signed SSL certificate == trustable site. That is WRONG. Verisign does not vigorously establish the non-evilness of your site.

Example: http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_1.html

link