Fedora home server using core 9

Wed Sep 3 19:37:45 UTC 2008

On Wed, Sep 03, 2008 at 20:05:15 +0100,
  Alan Cox <alan at lxorguk.ukuu.org.uk> wrote:
> > This is a misleading warning that the Firefox developers have decided to use.
> 
> I wouldn't call it misleading. Firefox accepts a set of signing agencies
> that do at least the basic authority checking business expects -
> paperwork, address, check against government records stuff. It doesn't by
> default accept others as they don't do those checks.

Well they don't supply the same warning for http connections which have exactly
the same issues.

> 
> > It is really just a warning and if you don't want to see them in the future,
> > you can save the cert and you won't see them any more. I get these a lot since
> > I have deleted all of the delivered CA's because I have no special trust
> > relationship to them. I either permanently or temporarily OK certs for sites
> > when using https connections.
> 
> Your choice. However if you deleted the delivered CA signatures and don't
> check against them they you have no way of knowing if you are talking to
> a DNS spoofed site that is relaying.

I save the certs for sites I plan on revisting. I get a warning when the certs
change and depending how I am using the site I can take extra care when
that happens.

I'd be more worried about my ISP messing with my traffic for marketting related
reasons than that someone has targetted my dns cache successfully.

Certs don't solve the real problem in any case. Just because you are visiting
a site with a valid cert that matches a domain name, doesn't mean you are
visting the site you expect to be. If you are really worried about that you
need to take extra measures and Firefox doesn't provide a good way to do
that. (It should really warn you when it sees a cert you don't have saved and
allow you to save it or not. The only way to do that now is to delete all of
the delivered CA certs.)

> > > My immediate thought was that if ScientificLinux expect me
> > > to jump through hoops to view their web-page
> > > then they are unlikely to place ease of use
> > > high on their list of priorities -
> > 
> > The issue is really Firefox's fault, not Scientific Linux's.
> 
> I would disagree. Firefox doesn't want to trust untrustable CA's.
> Scientific Linux doesn't want to have to pay out for commercial
> certificates.
> 
> 'Fault' is a curious word to use for that. Both are doing valid sensible
> things.

We do disagree. I think it is more reasonable to treat sites with self signed
certs where the CA is not in Firefox's list the same as sites that are using
http insteasd of https (barring mismatched or expired certs).