On Thu, Feb 23, 2012 at 3:28 PM, Paul Hartman <paul.hartman+gen...@gmail.com> wrote: > On Thu, Feb 23, 2012 at 4:59 PM, Mark Knecht <markkne...@gmail.com> wrote: >> What is it about my systems wherein every one of these https links >> case my systems to barf with a "This Connection is Untrusted" message. >> If I remove the 's' then things work fine. > > https encompasses two basic functions: encryption and trust. > > In this case the hostname in the SSL certificate installed on that > server does not match the hostname in the URL, so it does not trust > it. If they matched, it would then check to see if it was expired. If > it was not expired, it would then check to see if it was signed by a > CA that you trust (browsers come with a set of trusted CAs already). > If it was self-signed or signed by an untrusted CA (like DigiNotar...) > you'd get a warning as well. > > If literally every https link is untrusted, maybe you have an issue > with the installation of certificates on your system, or have chosen > not to trust any CAs. > > Commercial websites, banks, stores, etc. should always have valid and > trusted certificates. In OSS world, most people don't have the need or > money to pay for a certificate when all they're really interested in > is encrypting the connection. There are also servers that are > listening for https connections but aren't advertised as such... the > mozilla website is probably one of those. Using plug-ins like > HTTPS-everywhere will try to use https even on sites that don't use it > by default. > > In all of those cases above, if you allowed the connection it would > still be SSL encrypted. You'd be protected against packet sniffers but > not against man-in-the-middle attack. By switching to http your > session occurs in plain-text and is vulnerable to both attacks. >
OK, clearly I'm overstating the problem then. I haven't ever had any problems logging into password protected, little closed lock in the bottom corner web sites so that's not a problem. The real problem I've noticed the most is just with these links that arrive as https:// type links and Firefox asking me to specifically accept these certificates which I don't really want to do. And I've not had any problems I've noticed by just removing the 's' and using the site like a regular site. So, I guess there really isn't any problem with my system. I appreciate the info folks. As always, thanks! Cheers, Mark
