-
-
Save My1/615843f53ff4fb6d2573 to your computer and use it in GitHub Desktop.
| wait a sec I have to intervene. firefox just shows a warning page but when you trust the lock turns green and everything is ncie. chrome instead makes it red and slashes out the https. | |
| the problem is really that users need to be aware of a possible false sense of security and I think that users shouldnt carelessly connect to a self signed cert (unless it is DANE'd) | |
| while with unencrpyted the user sees "okay it's not encrypted, better be careful", but many people get a false sense of security from the lock (the reason why FF4-13 removed the lock, which was quite an intresting idea in my opinion. | |
| I would maybe instead of crossing the lock, throw a question mark next to it (as in the fact that the real identity of the key is unknown) | |
| throwing that intermediate page should maybe be a little bit more neutral, similar to ssh connection dialogs, but then SSHing people usually have a bit more knowledge than the average user. | |
| and for most sites that should face the public we have let's encrypt, a new nice version of startssl (they now do 5 domain names per cert plus the roots of the domains, giving you max 10) and WoSign, which as I heard got worse by only allowing 1 name instead of 5. | |
| so free cert options we have enough, and for some tech stuff like admin panels and whatever the fact that self signed certs are considered so evil can be even pretty good because | |
| 1) bots and whatever probably avoid that stuff | |
| 2) a very restricted circle just accesses these pages and you can tell those the cert print over a secure channel | |
| 3) the fact of the "evilness" also helps to protect against stupid people because they might think that they are wrong here. |
I fully agree that self-signed shouldnt be treated much worse than HTTP (as I said the warning screen should be a bit more neutral.
I think that the green lock is too much in my opinion but a slashed red https is too much in the other direction.
also with the advent of DANE sooner or later you can use self-signed certs if published through DANE.
The reason for those warning screens (although I do think the warning screens are getting overly annoying to bypass) is of course while self signed certs are cryptographically as secure as those from CAs the problem is the Identity or in other words "how do I know I really connevt to google and not some malicious MITM" and that's why certs exist. and it's not THAT hard to get certs for free, I mean there's let's encrypt for example.
for your initial question of why a bout would avoid self-signed certs, one could say pretty much for the same reasons users get warnings. for example let's say we have an oauth with google and someone would intercept the token requests to google they 1) would get the Oauth secret and 2) get the token of the respective user, meaning they can do quite a lot of bad stuff depending on the token's permissions. and by that a malicious person could do a ton of bad stuff which happens in the identity of the oauth application, aka us.
so I think the user needs to be able to get to self-signed sites without too much hassle but must also be educated not to do so carelessly.
I'm sorry, but I have to say that I don't agree with most of what you said above. Especially: Why would anyone programming a bot make that bot avoid self-signed certificates?!
I'm testing this right now with Firefox 45.0 which comes with my freshly installed Ubuntu Mate 16.04 Beta2.
Browsing an http site gives me a white / gray circled i logo left of the URL and only if I click on it I get an info box showing me in red letters "Connection is not Secure"
Browsing a self-signed https site gives me the same circled i left of the URL, and above in the tab header a red exclamation mark icon. Also instead of the real page it shows me a warning page with a huge header "Connection is not secure" and in the bottom two buttons: "Go Back" and "Advanced". I have to click "Advanced" -> "Add Exception..." -> "Confirm Security Exception".
Okey it's nice that firefox allows me to save this exception, but for public websites this is still a very much inferiour user experience than simply using unencrypted http. And that is what infuriates me. That browser vendors make website admins prefer http to self-signed certificate using https - Which makes the Web overall a less secure place than it could be.