Andrew Joakimsen schrieb:
On Wed, Mar 23, 2011 at 22:45, Robert Kaiser<KaiRo@kairo.at> wrote:
Andrew Joakimsen schrieb:
With Chromium, Safari, Internet Explorer, etc, if you visit a website with an "invalid security certificate" the bypass is 1 click.
Which is a security problem by itself. No user should be able to override the security certificate unless (s)he knows exactly that this breaks every security assumption and is very probably an attack if it happens on a high-volume site.
No, because all of the browsers that I cited (except Internet Explorer) that do SSL warnings the right way make the warning very clear it's something out of the ordinary.
That doesn't matter as most people just click-through and don't read any text. That's why _any_ way to click through those warning is a security bug. (And nobody needs to remind me of the Comodo cert stuff, I read all about it on our internal Mozilla security group mailing list and I personally think the whole SSL system is flawed but we don't have anything better that is widely established in the website space.) Robert Kaiser -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org