Why they don't want to consider having a third "encrypted but not 'secure'" state for correct but unauthenticated (self-signed) certificates or certificates that have gone past the arbitrary expiration date encoded in it I also don't know.
Of course, we do have to worry about the teeming masses of evildoers who break into people's houses to replace their wifi routers in order to steal their login password.
There's also a disturbing assumption that only corporate "e-commerce" and government sites have any interest in "legitimate" encryption (the "they'll just go out of business if they don't 'buy' a certificate" arguments.). The usual retort here assumes that the only alternative is that self-signed certificates be treated the same as authenticated certificates and therefore people will somehow think they're "safe" even though there's a chance the site at the other end might possibly be involved with a "Man-in-the-middle" attack. I still fail to see how being driven away from anti-eavesdropping (but unauthenticated) communications to completely unencrypted AND unauthenticated communications makes people "safer" and am a bit baffled that Mozilla is now treating unauthenticated certificates exactly like fraudelently authenticated certificates. The use-case mentioned above of the wifi router which can't necessarily get a "trusted authority" to verify due to lack of a FQDN is a good example of why this shouldn't just be of interest to do-it-yourself hobbyist nerds. I wouldn't have even blinked if a commercial, proprietary browser started doing this.but "open source" Mozilla? Campaigning against do-it-yourself encryption? Just to "scare consumers" away from things that might possibly maybe be bad? That just seems completely wrong.
Why are we being told that we must get permission from a "trusted" authority in order to "legitimately" use encryption? StartSSL supposedly offers free-as-in-free-beer SSL certificate-signing services, but even that's not really the issue in my opinion.
0 kommentar(er)
