- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Tue, 26 Dec 2006 18:13:00 +0000
- To: "Doyle, Bill" <wdoyle@mitre.org>
- CC: public-wsc-wg@w3.org
Doyle, Bill wrote: > I like the point brought up in Mike's note. > > "For sites with self-signed certs, I think there's growing support > for the idea of simply not showing any security indicators at all." Seems a bit too simplistic to me (and a bit biased towards commercial CAs). I think better would be to treat all SSL server certs that can't be verified the same. That might mean not displaying security indicators or it might mean displaying them, depending on other factors. A scenario where displaying would be fine: I have my own web server that I installed and whose content I control. It should be ok for me to mark that self-signed cert (or hostname or whatever combination makes sense) as being ok to display as "secure". I would guess that that might generalise to a scenario about non-commercial community sites. So generally, if a user has a way to mark a site as "ok" then successfully using the same self-signed cert is a fairly strong indicator that the site is still "ok" on subsequent visits and is certainly not the same as re-visiting that site via cleartext HTTP. S. > > The trust between a user and a site with a self signed cert is a > private trust mechanism. In this situation 3rd parties are not involved > and cannot provide information to support a trust decision, should > turning off security indicators be promoted to a standard? > > > Bill D. > wdoyle@mitre.org > > > > -----Original Message----- > From: public-wsc-wg-request@w3.org > [mailto:public-wsc-wg-request@w3.org]On Behalf Of Michael(tm) Smith > Sent: Friday, December 22, 2006 6:34 AM > To: public-wsc-wg@w3.org > Subject: Re: Browser security warning > > > > michael.mccormick@wellsfargo.com, 2006-12-21 11:58 -0600: > >> I just tried to access a reputable web site that issues its own >> SSL certs > > How exactly did you make the determination that it's reputable? > (I'm not being facetious.) How could a user be expected to tell it > apart from a unreputable site that has a self-signed cert? > > For sites with self-signed certs, I think there's growing support > for the idea of simply not showing any security indicators at all. > If we were to do that consistently across browsers, users would > never see any warning dialog at all for this case, nor any padlock > icon or anything else to indicate that the site has a cert. > >> and got this warning message from IE6: >> "You are about to install a certificate from a CA claiming to >> represent www.x9.org. Windows cannot validate that the >> certificate is actually from www.x9.org. You should confirm its >> origin by contacting www.x9.org. The following number will >> assist you in this process: >> Thumbprint (sha1): 8FBF6185 1D390508 F04BA0CB 31F4C4C E5310DAE. >> >> "Installing a certificate with an unconfirmed thumbprint is a >> security risk. If you click Yes you acknowledge this risk. Do >> you want to install this certificate?" > > I guess in part this is case of the application providing too much > information. Maybe the part that says "Windows cannot validate > that the certificate is actually from www.x9.org" is enough. > > Here's what a few other browsers say for the same site: > > ----------------------------------------------------------------- > The root certificate for this server is not registered. You may > install this certificate. Accept/install? > > - The root certificate from "www.x9.org" is not known to Opera. > Opera cannot decide if this certificate can be trusted. > ----------------------------------------------------------------- > > ----------------------------------------------------------------- > The server certificate failed the authenticity test. > > Certificate is self-signed and thus may not be trustworthy. > ... > ----------------------------------------------------------------- > > ----------------------------------------------------------------- > Unable to verify the identity of www.x9.org as a trusted site. > Possible reasons for this error: > - Your browser does not recognize the Certificate Authority that > issued the site's certificate. > - The site's certificate is incomplete due to a server > misconfiguration. > - You are connected to a site pretending to be www.x9.org, > possibly to obtain your confidential information. > > Please notify the site's webmaster about this problem. > > Before accepting this certificate, you should examine this > site's certificate carefully. Are you willing to to accept this > certificate for the purpose of identifying the Web site > www.x9.org? > ----------------------------------------------------------------- > >> I'm a security professional and even I find this message very >> hard to understand and almost completely unactionable. An >> ordinary user would ask: >> * What is a certificate? > [...] > > It's going to be very hard for any browser to provide information > about the problem without mentioning the word "certificate". > > How would you suggest the browser could make an ordinary user > understand what a certificate is so that the user can take action > when encountering this case (a site with a self-signed cert for > which no browser is going to have a root certificate)? > > Or do you think browsers should not even bother trying to warn > users about sites with self-signed certs? (That is, just treat > them as they would an unsecure site without any cert.) > > --Mike >
Received on Tuesday, 26 December 2006 18:12:25 UTC