|
|
|
|
|
|
by viraptor
4139 days ago
|
|
|
> If browsers want to warn that it's not encrypted, fine. So long as they don't go into ridiculous hysteria levels like they do now with self-signed certs. I don't believe they can do anything apart from what happens now. Imagine someone manages to redirect your traffic. You were talking to some website which used known certificate, but this time you got a self-signed one. The browser has two options essentially: - continue the connection - in this case you just handed over your session cookie, the person on the other side can act as you on that website - go into "ridiculous hysteria levels" and tell you that the cert presented by the server is not trusted - so do what browsers do right now There's really no situation where the first option should be allowed. How option 2 is implemented is the interesting detail. |
|
|