On Tue, Sep 13, 2011 at 2:22 PM, Andy Steingruebl <[email protected]> wrote: > On Tue, Sep 13, 2011 at 10:48 AM, Steven Bellovin <[email protected]> > wrote: > >> Furthermore, >> they're probably right; most of the certificate errors I've >> seen over the years were from ordinary carelessness or errors, >> rather than an attack; clicking "OK" is *precisely* the right >> thing to do. > > Is anyone aware of any up-to-date data on this btw? I've had > discussions with the browser makers and they have some data, but I > wonder whether anyone else has any data at scale of how often users > really do run into cert warnings these days. They used to be quite > common, but other than 1 or 2 sites I visit regularly that I know ave > self-signed certs, I *never* run into cert warnings anymore. BTW, > I'm excluding "mixed content" warnings from this for the moment > because they are a different but related issue.
Here's a data point...not sure how relevant it is though. Such warnings are still quite common on our company intranet, because the IT folks who deploy request and deploy certs, for the most part don't know what they are doing. E.g., they request a server cert whose CN is the server's I address which of course results in a warning when the user tries a URL that uses the host name. We have instructions, but apparently, no on takes the time to read them. Instead, there mentality is to just tell their user community to click through all the warnings. We very rarely have this problem for certificates on Internet facing web sites because those people have been trained and in general know what they are doing. -kevin -- Blog: http://off-the-wall-security.blogspot.com/ "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We *cause* accidents." -- Nathaniel Borenstein _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
