On Fri, 4 Mar 2011, Mike N wrote:
Actually not checking the "I trust this certificate from now on" reduces
your security, as you will not recognice when some bad guy replaces it
or tries to do man-in-the-middle attacks.
Not checking default trust can reduce security related to operations on
this site, but opens a hole in the hypothetical case where someone uses a
leaked certificate on a more important site such as banking; a man in the
middle attack would not be detected.
Well. When accepting a non-standard certificate you should always verify
why it is not accepted and then decide (once!) if you trust it or not.
It's that simple. Your original texts suggest not to accept self-signed
certificates in general and that is actually plain wrong.
It's quite possible that the certificate on josm.openstreetmap.de is safer
than a purchased certificate, but I just didn't take the time to check it all
out.
Very easy to decide: If you trust the JOSM download and use the software,
you also can accept the certificate. Otherwise if you think you can't
accept the certificate, you also should not download and use the software.
Simple, isn't it?
Ciao
--
http://www.dstoecker.eu/ (PGP key available)
_______________________________________________
josm-dev mailing list
josm-dev@openstreetmap.org
http://lists.openstreetmap.org/listinfo/josm-dev
