UltraLoser writes "When is it acceptable to encourage users to accept a self-signed SSL cert? Recently the staff of a certain website turned on optional SSL with a self-signed and domain mismatched certificate for its users and encourages them to add an exception for this certificate. Their defense of this certificate is that it is just as secure as one signed by a commercial CA and because their site exists for the distribution of copyrighted material the staff do not want to have their personal information in the hands of a CA. In their situation is it acceptable to encourage users to trust this certificate or is this giving users a false sense of security?"
This discussion was created for logged-in users only, but now has been archived.
No new comments can be posted.
They actually give a pretty good reason for not wanting to get their certificate signed by a CA.
By not getting their certificate signed, they are opening up communications to a man-in-the-middle attack. If there is a man-in-the-middle, he can exchange certificates on the fly, and read or inject data into your communications. If you permanently accept this false certificate, and you later connect to this site without the man-in-the-middle, your browser will again ask you if you want to accept the certificate
Considering you trust the root CAs provided by your browsers, and these are downloaded over unsecure connections, I don't see how this is any different. Someone could in theory mess with the root CA you get. How many people call up VeriSign to check the root CA in their copy of Firefox?
Maybe. (Score:2)
They actually give a pretty good reason for not wanting to get their certificate signed by a CA.
By not getting their certificate signed, they are opening up communications to a man-in-the-middle attack. If there is a man-in-the-middle, he can exchange certificates on the fly, and read or inject data into your communications. If you permanently accept this false certificate, and you later connect to this site without the man-in-the-middle, your browser will again ask you if you want to accept the certificate
torrents!? (Score:1)
Self-signed not different from browser-provided (Score:1)