Jean-Marc Desperrier:
Broken ? Yes, instead of accessing to the web site, he got some error screen, and had to run IE instead.

Oh yes, and IE let him just through, no errors and no red address bar and no "We recommend not to visit this site", right?

This was a developer with already around two years of writing SSL related softwares.

Which SSL software does he write so I can avoid it?

Now, the answer about what to do next is not easy. But it's *not* to block even more access to those web sites.

At least one shortcoming must be fixed and it's the fetching of missing CA certificates in the chain. Sites which are unfortunately not configured correctly, but otherwise use a perfect certificate shouldn't be blocked and the browser should try to build the chain by fetching the missing CA certificates.

Whilst I have no magic bullet, it definetively lies in the line of finding a way to *explain* to the user *what* is broken exactly, and provide him an effective and easy way to check if it's an error or an attack.

Here I agree with you completly. Education is a very important part of what we must do. I've been thinking that allowing users to click through warnings was very bad from an educational point of view. One of the problems is that users simply don't read, they don't care until their passwords are stolen and credit cards emptied.

I also agree with you that there is no magic bullet - except that we've tried it the current way of presenting warnings, errors screens etc. for years. Maybe we should try it otherwise, because SSL does protect against MITM attacks - that's one of its major tasks.

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog:   https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to