What is shocking is that they still haven't found the way to properly fix it after 3 days.
I updated some SSL certificates last week (which even required contortions such as moving to a new issuer since some legacy software requires old-style SHA-1 signed ones which our current one doesn't provide), and it didn't take more than one (long) day of work.
At this point, changing out a cert takes me about 15 minutes (typically for multiple servers). 10 of those is figuring out the order in which to include intermediate certs. I really should script that part out.
I wonder if browsers should for (say) a week after a cert has expired, show an error so alarms are raised, but allow the dialog to be dismissed with an OK instead of all the "Confirm Security Exception" that would go on for a more serious cert rejection.
I think the real problem is that, by assuming users won't read error messages carefully, and making them shorter/less informative as a result, we've been implicitly encouraging this behaviour, leading to even less attention paid to the messages, etc. and the vicious cycle continues.
The original argument was that seeing error messages often will make users ignore them, but I don't think certificate errors should be very common now. Either way, I think we should be encouraging users to read error messages more carefully. Maybe the Yes/No buttons on the dialog should be put in a random order, and the question randomly flips between "Do you want to proceed?" and "Do you want to abort?"... adding a "learn more" option would be a good idea too.
I like this idea. At the moment there is nothing that differentiates a "this cert expired yesterday" warning from a "someone is MITMing your connection" warning, at least not for the casual user.
And since the former is (sadly) pretty common, this only teaches people that these warnings are not that unusual, and can safely be overridden.
It would be much better to have one "the server admin forgot to renew his certificate" type of warning and another "a totalitarian regime is trying to spy on you" type of warning...
That shouldn't be default behaviour in any browser but rather a plugin that you can install that gives the notification. Preferably with a whitelist of websites that I want to get notifications of.
Our website monitoring service https://t1mr.com will warn you before your certificate expires (in addition to warning you when your site is down, and giving you reports of inbound and outbound dead links).
If I understand right, getting a replacement cert doesn't result in a change of the private key anyways.
It's just magically, on the expiration date, your cert is somehow insecure and we must treat it as if YOU ARE IN DANGER!! - even though it's still better than then plain HTTP that everyone uses every single goddamned day. Hell, a self signed cert is better than plain HTTP, yet for some backwards-ass reason we treat it as worse, despite the fact it makes you immune from passive eavesdropping and any injection attacks, which the average person is a lot more likely to run into than a self-signed cert being used by an attacker to MITM you.
CA's are a scam and a racket. I can't wait for Mozilla's Let's Encrypt[1] to come along and put them all out of business, hopefully before the last decade or so of training users to ignore the wolf-crying cert warnings comes to fruition.
Yeah, this is irresponsible on Manjaro's part, they know the rules of the game, but the game is broken!
A "passive eavesdropper" has all the information they need to become an active man-in-the-middle. Observe the DNS query on its way out and send your own response with your IP before the real response comes back. The client will then make its TCP connection to that injected IP.
Self-signed can be worse because by the same token it can be MITM'd by another self-signed cert. It would create the false illusion of security, which could lead people to provide information they otherwise would not have.
The issue is with HSTS. If you've visited the site before you've likely cached that SSL is required and your browser will refuse to connect. Using e.g. a 'private window' will allow it to be bypassed.
By having an expiry, revoked certs can be forgotten about once the expiry has passed. We'd need to keep a forever growing list of revocations otherwise.
[+] [-] thejosh|11 years ago|reply
[+] [-] UnoriginalGuy|11 years ago|reply
[+] [-] ikt|11 years ago|reply
[+] [-] Yeri|11 years ago|reply
[+] [-] phyzome|11 years ago|reply
[+] [-] jng|11 years ago|reply
I updated some SSL certificates last week (which even required contortions such as moving to a new issuer since some legacy software requires old-style SHA-1 signed ones which our current one doesn't provide), and it didn't take more than one (long) day of work.
[+] [-] IgorPartola|11 years ago|reply
[+] [-] jonathonf|11 years ago|reply
I can only assume the sysop is on holiday.
[+] [-] billpg|11 years ago|reply
[+] [-] userbinator|11 years ago|reply
The original argument was that seeing error messages often will make users ignore them, but I don't think certificate errors should be very common now. Either way, I think we should be encouraging users to read error messages more carefully. Maybe the Yes/No buttons on the dialog should be put in a random order, and the question randomly flips between "Do you want to proceed?" and "Do you want to abort?"... adding a "learn more" option would be a good idea too.
[+] [-] DangerousPie|11 years ago|reply
And since the former is (sadly) pretty common, this only teaches people that these warnings are not that unusual, and can safely be overridden.
It would be much better to have one "the server admin forgot to renew his certificate" type of warning and another "a totalitarian regime is trying to spy on you" type of warning...
[+] [-] ins0|11 years ago|reply
[+] [-] drinchev|11 years ago|reply
[+] [-] mijndert|11 years ago|reply
[+] [-] ikeboy|11 years ago|reply
[+] [-] ntoshev|11 years ago|reply
[+] [-] falcolas|11 years ago|reply
[+] [-] seqizz|11 years ago|reply
[+] [-] agarcia-deniz|11 years ago|reply
Enjoy the simplicity
[+] [-] Karunamon|11 years ago|reply
If I understand right, getting a replacement cert doesn't result in a change of the private key anyways.
It's just magically, on the expiration date, your cert is somehow insecure and we must treat it as if YOU ARE IN DANGER!! - even though it's still better than then plain HTTP that everyone uses every single goddamned day. Hell, a self signed cert is better than plain HTTP, yet for some backwards-ass reason we treat it as worse, despite the fact it makes you immune from passive eavesdropping and any injection attacks, which the average person is a lot more likely to run into than a self-signed cert being used by an attacker to MITM you.
CA's are a scam and a racket. I can't wait for Mozilla's Let's Encrypt[1] to come along and put them all out of business, hopefully before the last decade or so of training users to ignore the wolf-crying cert warnings comes to fruition.
Yeah, this is irresponsible on Manjaro's part, they know the rules of the game, but the game is broken!
[1] http://letsencrypt.org
[+] [-] billpg|11 years ago|reply
[+] [-] Zikes|11 years ago|reply
[+] [-] abofh|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] bitJericho|11 years ago|reply
[+] [-] jonathonf|11 years ago|reply
[+] [-] ins0|11 years ago|reply
[+] [-] nailer|11 years ago|reply
[+] [-] lauriswtf|11 years ago|reply
[+] [-] bitJericho|11 years ago|reply
[+] [-] mahouse|11 years ago|reply
[+] [-] HendrikR|11 years ago|reply
[+] [-] billpg|11 years ago|reply
[+] [-] bastomi29|11 years ago|reply
[deleted]
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] andygambles|11 years ago|reply