[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL problems - lynx-dev lynx2.8.5dev.9

From: David Woolley
Subject: Re: SSL problems - lynx-dev lynx2.8.5dev.9
Date: Sun, 13 Oct 2002 17:53:24 +0100 (BST)

>   I get following error when connecting to some https sites:
> SSL error:self signed certificate in certificate chain-Continue? (y)

Self signed certificates are root certificates.  If you don't have the
relevant root certificate in the your certificates file, it means that
you don't trust anyone to vouch for the authenticity of the site.  Root
certicates represent people like Verisign that are in the business of
confirming the identity of servers, etc.

If you believe that you are really talking to the site, and not someone
in between, who is either completely simulating the site or relaying
your requests onto the real site (called a "man in the middle" attack),
you will still have an encrypted connection.  Otherwise, you should act
as though the site was an impostor, unless and until you manage to get
a root certificate from a trustworthy source, and that root certificate
represents someone that you would trust to have vetted the site you 
want to connect to.

The big 2 are adding an increasing number of root certificates, and most
users fail to realise that they are putting a trust in the supply chain
for the browser to give them the certificates of reliable organisations
(the browser suppliers could make bad choices, or the browser could have
been hacked before you got it).

Incidentally, standard browsers come with certificates representing
very different levels of identity verification, but most people accept
all of those supplied with the big 2 as equally valid.

I hope that this is a correct explanation.  It's based on a similar 
explanation for what I believe to be the equivalent message from a 
big 2 browser.

; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]