On 2007-12-18, at 12:52, Phil Pennock wrote:
Firefox 3 requires you to explicitly whitelist, with a couple of
confirmations, the site as having a bad cert before letting you in.
That is hateful in all kinds of ways.
Look, the real problem is that SSL mixes up authentication with
encryption. Yes, yes, I know the arguments about WHY it's like that,
I happen to disagree with them: most cases what you really want to
know is "has the certificate for this site I care about changed
unexpectedly". And SSL doesn't really do that: if someone creates a
new certificate for a site as long as it's signed the browser won't
mention it.
But at least you can say "Yes, I know that they're not using the PKI
infrastructure, now keep going".
Won't really let you _look_ at the cert to see why it's bad.
Ah, like when Microsoft "fixed" the word macro autorun bug... but if
you disable the autorun macro you can't look at it, and if you want
to be able to look at it you've gotta let it pwn you. WHAT IS SO HARD
TO UNDERSTAND HERE?
Hate.
