firefox and bad ssl certificates

Milan Bouchet-Valat wrote: > Notifications are never read, especially by users that are not > passionate by computers - they're exactly like there was no message at > all, only they annoy users: "click OK and then see if there's a problem" > is what OS have used people to for many years. And after that the lock > in the adress bar still seems to confirm you're on a secure website. I think you are dead wrong. It is absolutely wrong to say they are NEVER read as people DO see them, and CAN read, ergo some do. I would go so far as to say that that vast majority of people read them, the problem is when they fail to understand. And once you accept the invalid certificate, you ARE on a secure web site. The only thing you have to worry about is that someone has intercepted your connection and is spoofing the site with their own self-signed certificate. If a user frequents a site and does not get this warning, then one day they do, they might think something is up. If not, well, they have been warned. > IMHO it's not mainly about educating the user, but to force servers to > use correct certificates. When freedesktop.org will understand every > person that goes to their bugtracker gets to the new Firefox warning, I > guess they will change their certificate. ;-) (just an example) No, they won't, and shouldn't. Why pay some idiot corporation an extortion fee just because they bribed the browser manufacturers to include their certs by default? There is NO added security to having a paid for cert. See the several incidents where bank web sites have been spoofed on a slightly misspelled version of the domain name and issued a "valid" cert from a CA "proving" they are the bank you thought you were visiting. > To continue your metaphor, it's primarily intended to force GPS vendors > to provide hands-free models so that then you can drive without this > kind of concern. Pissing off the users by making their life harder is not a good way to get your ( wrong headed ) point across to the web site operators.