<p>So the key to this discussion is that https provides two things. First is encryption. That my data is only seen by me and the server I'm talking to. This is the part that you two are talking about. The second thing that it does is provide identity. That I not only know that only the person I'm talking to is the server, but also who owns and controls the server. This is the part that browsers are warning you about. I don't care as much about encrypting my credit card as who can decrypt that information. With self signed certs, you need some sort of web of trust.</p>
<div class="gmail_quote">On Oct 28, 2011 9:40 PM, "Shawn Willden" <<a href="mailto:shawn@willden.org">shawn@willden.org</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="gmail_quote">On Fri, Oct 28, 2011 at 12:21 PM, Kevin Reid <span dir="ltr"><<a href="mailto:kpreid@switchb.org" target="_blank">kpreid@switchb.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>I don't know what the browser vendors are thinking, but I can make some stuff up.</div></blockquote><div><br></div><div>That's always my approach when I don't know the answer :-)</div><div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Argument #1:<br>
<br>
Premise 1: "https:" means it's secure, to the user.<br>
<br>
Premise 2: HTTPS security rests on the CAs providing certificates<br>
for DNS names.<br>
<br>
Conclusion: If a certificate is not signed-by-a-CA-etc. then the user<br>
thinks they are secure but aren't; therefore warn them.<br>
<br>
Not showing indicators of security to the user solves this problem, but if you hide "https:" then you're not accurately displaying the URL...<br></blockquote><div><br></div><div>I don't think "accurately displaying the URL" is important. In the last few years browsers have started altering displayed URLs in all sorts of ways, including dropping the protocol prefix entirely in many cases. I just checked and neither Firefox nor Google Chrome display http://. Further, while Chrome does display https:// on SSL-enabled sites (and highlight it in green), FF doesn't display https:// either.</div>
<div><br></div><div>Displaying the URL accurately isn't relevant to 95% (99%?) of users of the web. The remainder can always figure out what they need to.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Argument #2:<br>
<br>
If the author of a *link* wrote "https:" then they expect that link<br>
to securely designate the intended target; if there is a certificate<br>
problem then the link is not succeeding at that job and proceeding<br>
despite that would be a vulnerability.</blockquote><div><br></div><div>Among all the ways a misconfigured web server could cause problems, I think this is pretty low on the list.</div><div> </div></div>-- <br>Shawn<br>
<br>_______________________________________________<br>
tahoe-dev mailing list<br>
<a href="mailto:tahoe-dev@tahoe-lafs.org">tahoe-dev@tahoe-lafs.org</a><br>
<a href="http://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev" target="_blank">http://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev</a><br>
<br></blockquote></div>