How can you pull a man-in-the-middle attack, if the browser warns you about (or prevents) *changed* certificates (as described)?
One of Frank's earlier postings was on this was how to deal with normal security dumb users, you and I would be able to deal with a situation like this, but most users would probably end up okay'ing this situation, same with the initial connection they just don't get how important security is. Most viruses lately have taken numerous steps to infect a user, and they still keep getting infected and you expect them to protect themselves with this kind of situation???
They give their passwords away for a cheap pen, why would they keep their browsing with self signed certificates secure?
In my day to day work I have to deal with some pretty non-security related individuals and if they had to make a choice on all this they would not care the slightest what you told them or how many times you told them as long as they could get to the site they thought they wanted to get to...
Maybe not. But it has its uses and should not be prevented or discouraged by the software, as it currently is.
It has it's uses for power users, but end users are acutely clueless in this respect... You can only make things so easy for someone to a certain extent otherwise they get lazy and nonchalant about it and their security goes to nil and we all go with it as a virus infects their system and sends virus and spam infected emails to us encrypted bypassing all scanners and filters... Other similar people than click ok, I know Bob he's a good guy he wouldn't send me anything harmful, and another one bites the dust...
I spend way too much time thinking about cause and effect hmmm....
-- Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
