On 2007-12-18 at 10:23 -0600, Peter da Silva wrote:
> On 2007-12-18, at 10:02, Robert Rothenberg wrote:
>> https://username.hates-software.com/
>
> Cool! Self-signed *and* wrong address! Two hates for the price of one!
Don't worry, those problems will soon be Interesting.
Switching hate: Firefox 3.0b1
Okay, the certificate is self-signed or has expired or whatever. I
know, I'm not going to give any confidential data to them, their site
just requires SSL, now let me in.
Most browsers, you just click the little "I know what I'm doing" OK
button, which for most users is the "Pwn Me" button as you just disable
all MitM protection. Okay, most users just click OK without reading the
text so you need to move away from that model, fair enough.
Firefox 3 requires you to explicitly whitelist, with a couple of
confirmations, the site as having a bad cert before letting you in.
Won't really let you _look_ at the cert to see why it's bad. Won't let
you do a one-shot ("I'm browsing, search engine suggested this site, I
really don't know if it should have a broken cert or not, so why should
I explicitly allow it to always be broken henceforth?").
No option that I can see in about:config or elsewhere for "I understand
PKI, why and how it's broken and how lame this whole set-up is, I can
make an informed assessment, let me visit the damned site with at most
one click-through warning instead of having to open a security hole by
setting a configuration policy _without even knowing anything about the
site and how sensible this might be_: I know if it really requires
server identity verification _after_ I've used it.
So, self-signed problems will go soon.
Oh, and loath wget(1) for not understanding subjectAltName DNS items and
barfing because the main name doesn't match the host portion of the URL.
Even if that idiocy were fixed now, it'd take years to percolate out to
enough client systems.
*sigh*
-Phil
