Hacker News new | ask | show | jobs
by ceejayoz 5275 days ago
There absolutely should've been some sort of "encrypted but not verified" handling for self-signed certificates. The current state of browsers is that unencrypted HTTP is presented as safer than self-sign encrypted HTTPS. That's lunacy.

Unfortunately, there isn't, and as a result self-signed certificates are useless to anyone running a HTTPS site that expects any visitors.
2 comments
kennethv 5275 days ago
Though I don't enjoy the current sad state of affairs with regards to the security and validation of CAs, there's something to be said for the old adage that no security is better than false security, and trusting all self-signed certificates would definitely be false security, since eavesdroppers could just do a man-in-the-middle with their own self-signed certificate.

I'd personally be really happy to see something like http://perspectives-project.org/ instead of the current web of mistrust.

link
ceejayoz 5274 days ago
> Though I don't enjoy the current sad state of affairs with regards to the security and validation of CAs, there's something to be said for the old adage that no security is better than false security, and trusting all self-signed certificates would definitely be false security, since eavesdroppers could just do a man-in-the-middle with their own self-signed certificate.

Currently, self-signed HTTPS is trusted less than unecrypted HTTP. We don't get a massive warning if visiting Facebook over HTTP, despite the MITM risk and the fact that data is being sent in clear to boot.

link
three14 5274 days ago
The browsers don't do it because it violates normal people's expectations of what encryption does. If you are a man-in-the-middle, you provide your own self-signed cert; if the browser accepts self-signed certs, then the user sees an "encrypted" connection, but the encrypted data goes to the man-in-the-middle! Sure, you went through the motions of encryption, but the data is plaintext to the attacker. Self-signed certs could work together with some other kind of infrastructure, something like Perspectives, but leaving everything else as it is, self-signed certs don't provide anything to the normal user.
link