|
Authored by: Anonymous on Saturday, August 18 2012 @ 08:46 PM EDT |
> Many times I have been warned by my browser that some site or other
> has an invalid cert
The warning on many decent browsers has a disclosure tab where you
can see what's wrong with the certificate. Most that turn up here are
a) expired (oops, someone forgot to renew it), b) self-signed (hmmm),
c) untrusted (somebody in the chain of trust is on a blacklist).
> http://www.jumpto.com/ showed a bad cert in the browser
> on my Samsung Captivate
Seemed harmless on my Safari. Each browser will have a blacklist, or
a link to one. Depends on the browser maker how they construct
that list, and how they update it. eg. Google could put for all
Android browsers (not saying they do, just an eg) Do Not Trust
certificates originating from *.oracle.com.
It should be up to the luser to read and heed warnings, but in the
boingboing comments was a link to a report that said MS had
researched, and their sample indicated lusers just click on thru...
http://research.microsoft.com/en-
us/um/people/cormac/papers/2009/solongandnothanks.pdf
Now MS lusers are just the people that should be heeding those
warnings. MacOS is now being targeted. Linux is susceptible
to MITM. So I look at what's wrong with the cert, what is the site,
am I logging in with a password, if that's lost will I also lose
money or professional reputation? Then I make a wager^H^H^H^H
calculated risk. I delude myself that's better than just clicking thru.
I could be wrong.
[ Reply to This | Parent | # ]
|
|
Authored by: Anonymous on Saturday, August 18 2012 @ 08:48 PM EDT |
Sorry, should have said, the above post is mine but I am not the GP.
[ Reply to This | Parent | # ]
|
|
Authored by: Anonymous on Saturday, August 18 2012 @ 08:50 PM EDT |
Not just man in the middle, but the implications are limited to the site you
accept the questionable certificate for.
A SSL cert is a crypographic way of proving that verisign or some other
"trusted" certificate authority (your os/browser etc comes with a
predefined list of these) says the server for www.example.com is using public
key blah. You can then use that public key to encrypt a request to
www.example.com and be confident that no one else can (easily) read it because
you need the www.example.com private key to decrypt it.
An invalid certificate can be for many reasons, but you should assume that SSL
adds absolutely no security in that case. Ie assume your connection isn't
encrypted because you don't know where the key came from and assume that the
server you're talking to may not be www.example.com.
The list of certificate authorities your os/browser "trusts" by
default here is obviously key to the whole process, and that's probably what's
gone wrong in your case. I suspect your phone and desktop have different trust
lists here - phones typically are only trusting a few root CA's.
This is speculation though - without seeing the certificate there's no reason to
believe that your phone and desktop are even talking to the same server.[ Reply to This | Parent | # ]
|
- Certificates 101 - Authored by: Anonymous on Sunday, August 19 2012 @ 04:14 AM EDT
|
Authored by: JamesK on Sunday, August 19 2012 @ 08:02 AM EDT |
{
Many times I have been warned by my browser that some site or other has an
invalid cert. Most of the time, I know (or assume) it is a harmless site, and
accept it anyhow. Does that put me at serious risk?
}
That depends. If you trust the site and know it's genuine, then it's probably
OK. For example, I run my own IMAP mail server and generated my own
certificate. That certificate was not recognized by the email app and so I had
to manually accept it. On the other hand, I'd never accept such a certificate
from a site I'd never heard of.
---
The following program contains immature subject matter. Viewer discretion is
advised.[ Reply to This | Parent | # ]
|
|
|
|
|