[cap-talk] A petname toolbar for Firefox - self signed certs and warning popups

Jed at LBL JEDonnelley at lbl.gov
Tue Feb 22 13:17:10 EST 2005 

At 07:39 PM 2/18/2005, David Wagner wrote:
>...P.S. I like the suggestion Ping made of having our browsers try HTTPS by
>default, and encouraging websites to use self-signed HTTPS certificates
>for all transactions.  (Was it Ping who made this suggestion?)  I've used
>self-signed certs on a Redhat Linux box.  It is easy and painless, and
>I have yet to encounter any good reason to go back to plain old HTTP.
>I'm sure some websites would dislike the performance hit, but I like it.

I believe the reason more people don't take the above approach is that
browsers are configured to complain if the certificate signing authority
isn't in their default set.  That produces an annoying popup something
to the effect (taken from Firefox visiting Tyler's Petname Toolbar page
under ssl):
_____________________________________________________________
Unable to verify the identity of www.waterken.com as a trusted site.

Possible reasons for this error:

- Your browser does not recognize the Certificate Authority that issued the 
site's certificate.

- The site's certificate is incomplete due to a server misconfiguration.

- You are connected to a site pretending to be www.waterken.com, possibly 
to obtain your confidential information.

Please notify the site's webmaster about this problem.

Before accepting this certificate, you should examine this site's 
certificate carefully.  Are you willing to accept this certificate for the 
purpose of identifying the web site www.waterken.com?

| Examine Certificate...|

* Accept this certificate permanently
* Accept this certificate temporarily for this session
* Do not accept this certificate and do not connect to this web site
                              | OK |  | Cancel |  | Help |
_________________________________________________________________

Of course other browsers have other but comparable warnings.  Who among us 
wants
our users to see such warnings about site misconfiguration or sites 
pretending to
be who they aren't to obtain our confidential information?

--Jed http://www.webstart.com/jed/

More information about the cap-talk mailing list