[HTTPS-Everywhere] what does HTTPS-Everywhere consider a "valid" X.509 certificate? [was: Re: Custom rules]
Eitan Adler
lists at eitanadler.com
Tue Oct 19 17:07:04 PDT 2010
Given that there is absolutely no security lost in my proposal I
assume that either a) I am not understanding the reason for the
opposition to the proposal or b) my proposal is not being understood
correctly.
I will try to clarify my proposal - and if this is what others are
opposed can you please clarify why.
In cases where a user makes a HTTP (not secure) connection and a safe
HTTPS connection can not be guaranteed (ie the certificate is self
signed) there should be an option for the browser to transparently
connect using HTTPS but not offer any indication that it is making a
"secure" connection (because that might be a lie).
The user has no expectation of security and the user is not being
mislead into believing (s)he is secure. However you have successfully
raised the bar for the attacker and encrypted otherwise unencrypted
communication.
Note that this does not affect situations where the user believes he
is secure nor does it affect situations where the user attempts a
httpS request but it fails due to having a bad certificate.
On Tue, Oct 19, 2010 at 7:51 PM, Eitan Adler <lists at eitanadler.com> wrote:
> ....
>> Stated another way, all our locks are bump-keyable. Here's your bump key:
>>
>
> Do you not use locks on your doors?
>
>
> --
> Eitan Adler
>
--
Eitan Adler
More information about the HTTPS-everywhere
mailing list