[tahoe-dev] SSL samurai attack migration ninjas, film at 11

Shawn Willden shawn at willden.org
Fri Oct 28 18:05:36 UTC 2011


OT:  Does anyone else think it's crazy that web browsers flash huge red
warning signs when they see a self-signed cert, as though that's a clear
indication of some sort of attack being attempted, which is almost never the
case?

It's always seemed to me than an appropriate browser response to a
self-signed cert is to accept it and use it to establish an encrypted
session, but not to display the lock icon or anything else that would make
the user think this page is especially secure.  For bonus points, browsers
could implement ssh-style notification of server key changes.

But the sort of big scary warnings browsers now display makes no sense to
me.

On Fri, Oct 28, 2011 at 10:22 AM, Brian Warner <warner at lothar.com> wrote:

> The tahoe-lafs.org server has moved! But, we had a hiccup with the SSL
> certificate on the new server. While Zooko gets a new one generated and
> installed, there is a self-signed certificate in place. So don't be
> surprised if you see the "OMG SELF-SIGNED CERT NOO!" warning (known as
> the "Larry Dialog" in firefox). It should be fixed within a couple of
> hours, so don't feel obligated to bypass the warning.. just check back
> in later.
>
> migration!
>  -Brian
> _______________________________________________
> tahoe-dev mailing list
> tahoe-dev at tahoe-lafs.org
> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev
>



-- 
Shawn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20111028/e3053a4d/attachment.html>


More information about the tahoe-dev mailing list