[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL problems - lynx-dev lynx2.8.5dev.9

From: David Woolley
Subject: Re: SSL problems - lynx-dev lynx2.8.5dev.9
Date: Sun, 13 Oct 2002 19:47:26 +0100 (BST)

> Is the average lynx user gong to need to know all of this esoteric stuff
> to access SSL sites?

If you are referring to my article, this is one of the great weaknesses
of SSL on the web; people don't understand it and therefore are not
getting the level of security that they think they are getting.

If you don't have any root certificates, you are in a much worse position
than big 2 users, but one that Lynx used to be in.

If you uncritically accept all the certificates that come with the big 2,
you may find that you only have very basic checks being made on the
identity of the web server.  Even then, if you don't run Windows Update,
etc, or don't understand the presence of updated root certificates in
the list of suggested updates, you will start getting this sort of error,
even with the big 2, as certificates expire, or as new companies start
offering site authentication services.

Note that the big 2 DO generate this sort of error message, but tend to
come with a set of root certificates that cover all the one man and a dog
certificate issuers.

Really, with security, a little knowledge is a dangerous thing, and I
suspect that many people, if they really understood the trust structures
associated with SSL, would be rather careful about checking the details
of certificates.

One major company even issued a Microsoft certificate to a company other
than Microsoft, and there had to be a Windows critical update to block
that certificate.

; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]