Re: Draft finding - "Transitioning the Web to HTTPS"

On 6 janv. 2015, at 21:14, Mark Nottingham <mnot@mnot.net> wrote:
> The browser/OS trust stores need to do a better job of informing users of the power given to someone when a new CA is installed, at the very least. I’d personally prefer it if there were also obvious (or even default) means of limiting the power of new trust roots.

I completely agree with that statement, but such a practice is due to the economic rejection of following the too commercial approach that https has surround. There is still a lack for simple honest and effective support by browsers of self-signed certificates. Something such as the warning on Google Chome:

> Your connection is not private
> Attackers might be trying to steal your information from xxxx (for example, passwords, messages, or credit cards).
> (link) Advanced, (big button) Back to Safety
> NET::ERR_CERT_AUTHORITY_INVALID
(it's so bad you can't even print or copy it! Internet Explorer used to do even worse)

Users currently have no way to differentiate this from an attacker's website.
However, the browser is lying when it is warning about being watched while it is not warning anything when being watched when using http websites.

Maybe someone will answer me… "but that's because it's https hence it's expected to be secure". Well, that is what needs to be changed at users' beliefs: No https URL can be secure in itself. In particular, since heartbleed, many well valid and well informed certifcates may be hanging around and be also in the hands of hackers.

Validated certificates can be shown with a degree of confidence. EV Certs are probably such.

For other certificates, and this includes self-signed ones, expired ones, … one should just indicate no more than "a little lock" and indicate that it "appears to be encrypted till the server" and please stop warning that this is going to "steal your credit card" !!

thanks

Paul