On Mon, Mar 7, 2011 at 4:32 PM, Fabian Groffen <grob...@gentoo.org> wrote: > As outsider, I don't like to accept another certificate thing, just to > view a bugtracker.
When you think about it, this is a defect with your browser, and not so much with SSL itself. Your browser generally doesn't complain about unauthenticated connections. It accepts unauthenticated connections that aren't encrypted without any issues, despite these being completely open to numerous attacks. However, your browser does complain when it makes an unauthenticated connection that IS encrypted, even though this is vulnerable to far fewer attacks. Browsers shouldn't bug the user about self-signed certificates - they should simply and clearly show that the user is connected to a host that isn't authenticated by a trusted intermediate. Oh, and browsers shouldn't come with root certs pre-installed by the browser distributor either, but that is about as likely to get fixed as the problem I just described. In any case, I don't see poor browser design as a valid reason for avoiding the use of SSL... Rich
