What is Digg?102 Comments
- picpak, on 08/23/2008, -10/+156Firefox once stopped me from going to microsoft.com. Not a bad idea.
- inactive, on 08/24/2008, -8/+73Firefox is still a lot more reliable than that of Internet Explorer.
- mynameistux, on 08/24/2008, -3/+70its their own stupid fault, when the people are getting waaaay less people on their website, maybe its time to renew the certificate.
- CokeZero, on 08/24/2008, -9/+64Maybe the site owners should stop being lazy *****.
- bodegit, on 08/24/2008, -3/+31But they cost like, 7 bucks a year... : (
- Nouman6, on 08/24/2008, -1/+24Great add-on:
https://addons.mozilla.org/en-US/firefox/addon/345 ...
has warned me a couple of times, so I know its working :) - virginian9000, on 08/24/2008, -4/+26I use Firefox 3. I have never seen this.
- megaton, on 08/24/2008, -0/+18Frankly, the whole SSL security model is broken, anyway. It's trivial to get a certificate that LOOKS like it's from a legitimate organization, but isn't ("Microsoft Corp.", vs. "Microsoft, LLC"), which makes 3rd-party intervention in secure communication trivial.
It goes back to the old adage: social engineering is the path of least resistance. - cynicalcheeto, on 08/24/2008, -1/+16And so many Fortune 1000 companies are having trouble getting beer money. How do you expect them to pay for their beer, world of warcraft subscription, AND the SSL fee?
- PatrickBrown, on 08/24/2008, -1/+15Validation of viewstate MAC failed :(
Oh wait, that is a "feature".
Nevermind. - sexybobo, on 08/24/2008, -0/+13$30 ones from godaddy will encrypt the traffic the $300 from verisign let the end users know they are doing business with who they think they are.
- roxgod666, on 08/24/2008, -1/+14actually quiet the opposite on my firefox. It always gets stranded when i go to apple.com but works perfect with microsoft.com
- steelaz, on 08/24/2008, -4/+15Firefox does this for self-signed SSL certs too. Many web hosts offer self signed certs for free, so you can secure your website's login form or any other form that accepts personal info. Now Firefox discourages developers from using self signed SSL.
Sincerely,
Lazy ***** - megaton, on 08/24/2008, -0/+11It's rather trollish to insist he's a troll because he hasn't ever seen a failed certificate.
- S4MF1SHER, on 08/24/2008, -2/+13Wow, this is a cool non-story, story. What's wrong with holding websites up to the security standard that they themselves were, at one time, trying to maintain? Sure it's a pain in the ass to bypass the Firefox 3 warning, but I want to know when the SSL certificate is no longer valid.
- sexybobo, on 08/24/2008, -0/+11A valid ssl certificate is basically saying that according to VeriSign or who ever signed the certificate that you are who you say you are. Unsigned certificates still encrypt the traffic but give the end user no security that you are sending money to who you think you are.
IE the traffic can be encrypted but if the holder of the key a phisher it doesn't matter. - bmullins, on 08/24/2008, -1/+12Buy a certificate and use it for a hundred years (expired for 99 of them). If I get lucky and break your key... you are screwed.
But if you renew, the keys change every year... and noone is THAT lucky EVERY year.
That being said... I'd go around the error if it's only been expired for a month or two. I've seen sites with certs that were over 2 years old though... No way would I put in any personal info. - chuckd01, on 08/24/2008, -0/+11Was buying something on Newegg and the Visa verification website was blocked! Why would a service specifically made to assist in preventing fraud allow their certificates to expire?!
- sodoh, on 08/24/2008, -1/+11The story is a bit of BS. FF doesn't stop you from entering the site. It warns you. You just click "add exception" and it lets you in. So when your son comes around to fix your spyware filled piece of crap machine they can at least see all the websites your stupidly accepted without thinking.
- dood, on 08/24/2008, -6/+16What does a certificate's expiration actually mean to the end-user? For that matter, what does a valid certificate mean? Either way, the data is encrypted while it is in transit.
Why should I Joe-user care if the certificate expired a couple weeks ago? It's not as though the certificate guarantees the security of my data (pre and post transit). - cynicalcheeto, on 08/24/2008, -0/+9I'm not having any of those problems. Perhaps you should check on updates, maybe manage your add-ons.
- Chewie67, on 08/24/2008, -2/+11If the past 5 years have taught us anything, it's that we can't be so flippant with security. The general web surfing community is not technically literate, and they will get themselves in trouble. Better to warn them when a site isn't secured properly than just say "It's probably okay..."
As the article states, there is no excuse for not having a proper SSL certificate. They cost about $27 per year at GoDaddy. With coupon codes (search anywhere to find them), you can get the price down even lower. You don't need a $300 certificate, no matter what Thawte and Verisign tell you.
Install a proper SSL certificate, or lose business. It's that simple. - SniperZero, on 08/24/2008, -1/+10Lets support only IE4 while we are at it...
Seriously update your SSL certs. Don't just be a bunch of lazy ***** and blame it on something that does actually put in some effort at security issues. - inactive, on 08/24/2008, -0/+8Expired certificate. They renewed it recently. Use to happen a lot on the FF3 beta's. MS only fixed the website issue very recently and no doubt they did it because of FF3.
- Giga, on 08/24/2008, -0/+8It's a bit hard to shop somewhere else when Visa, the credit card, is blocked.
- sasha0, on 08/24/2008, -6/+14SSL certificates are scam and I hate to see Firefox getting sucked into it. There is absolutely no difference between self-signed certificate, expired certificate or "valid" ($12.99) certificate the most of sites employ. If you did not have to show your business tax return and two pieces of picture ID in presence of witness when you were applying for your certificate it is no better then default self-signed and expired certificate for "Snake Oil Ltd.".
- LeeSoong, on 08/24/2008, -0/+8Instead of the “customs officer” graphic did you see an Monopoly Policeman ?
The “customs officer” graphic and an error message are a good idea.
If a Website is built correctly, no problem.
Shady websites and poorly implemented security should get called out,
and fixed correctly.
Web operators shouldn't blame Firefox for telling the truth. - talonstriker, on 08/24/2008, -0/+7If IE did anything like that, a ***** would brew.
- diabolicedict, on 08/24/2008, -1/+8A $300+ cert from reputable Cert Authority is that they actually verify that the cert applicant exists and to some degree who they claim to be. It is more expensive because of all these checks they have to perform.
- Giga, on 08/24/2008, -0/+7Or not visit the site. The warning is there to deter people from going to untrusted sites.
- HigherLogic, on 08/24/2008, -1/+8A wildcard, full validation SSL certificate (with EV) can cost more than $900+ depending on where you go. But yeah, most companies should have no problem spending even $300-400 on a full validation certificate (less EV, wildcard)
- sexybobo, on 08/24/2008, -0/+6Fortune 1000 companies are going to get SSL certificate signed by VeriSign or the like instead of the $12 ones your web host get. The college i work for is paying $399 a year for one from VeriSign. Still not a horrible amount for most businesses.
- zdiggler, on 08/24/2008, -0/+6What I don't like is the dialog box. It look too close to when you type in wrong URL or server is down etc..
It should be different from all other error pages. Like with RED with big stop sign and clear warning message, and a link to pages that explain about Signed Secure Certificates etc.. Most people I deal with don't understand at all, they automatically think just server is down. - TheGuruStud, on 08/24/2008, -3/+9They never said that nor implied it by this function. Way to be a *****. FF is just being on the safe side. Remember, if you know it's legit, then you can just add it to allow.
BTW, I could just make one, then and then when you come by the site, I'll just steal w/e info you give me. How's that sound? - comrade693, on 08/24/2008, -0/+5@HigherLogic
Er, EV specifically disallows wildcard certificates. You can't very identity of subdomains not yet created... - ElectricKetchup, on 08/24/2008, -2/+7"so you can secure your website's login form or any other form that accepts personal info."
I wouldn't call that "secure". Sure it stops passive eavesdropping, but any MITM attacks will still happen, and then you have zero security. (unless you transfer the public key in a trusted way). - diabolicedict, on 08/24/2008, -0/+5Every browser can install a cert provided
1) They agree to bypass the browser warning that they are about to install a non-root authority cert.
2) The user have an administrator (root) access that allows his logon to accept certs. - Giga, on 08/24/2008, -1/+6"- How would man in the middle attack be more probable if ssl cert is self-signed or expired??"
The man in the middle can make their own ssl cert that looks close enough without the stringent checks at Verisign making sure they are who they say they are. For expired ones, it is possible that the ssl cert was somehow hacked or leaked, and renewing expired ones reduces the window of opportunity for exploiting a leak.
"- Where does DNS poisoning come into play here ?"
DNS poisoning can send you to a site using a different but similar looking ssl cert, making the user think they are at the legitimate site when in fact they are not. It's not practically possible to create your own ssl cert that looks like a top tier ssl cert. - smacksaw, on 08/24/2008, -0/+4All I saw was someone confiscating all of my damn booze and a bunch of dogs sniffing my car.
- Elen, on 08/24/2008, -3/+7Uh, this is about as ignorant comment as they can get. Valid certificate is the only way to be absolutely sure you are connected to the site you think you are. With self-signed certificates you have no way knowing if you are falling to a man in the middle attack or dns poisoning.
- fryguy1013, on 08/24/2008, -0/+4I think someone learned big words, and doesn't understand them too. However, I think that person is you. Let me explain what he means.
Some assumptions:
bankofamerica.com is located at 12.34.56.78, and has an SSL certificate that has been signed by verisign.
attacker machine located at 66.66.66.66
user's dns server is at 98.76.54.32, and has been poisoned by the attacker machine.
User decides he wants to go to bankofamerica.com, so he types in https://www.bankofamerica.com His operating system requests the ip address for the server, however the dns has been poisoned so instead of sending 12.34.56.78, the user's browser connects to 66.66.66.66, and says "give me bankofamerica.com, over ssl". The attacker machine generates an SSL certificate, and says "ok here's the ssl certificate. I've signed it myself, but i'm valid for www.bankofamerica.com." Then it requests the web page from www.bankofamerica.com, and forwards it to the user, over SSL. Note that all traffic from the attacking machine is perfectly secure, as is the traffic from the attackers machine. The only people that have it are the user, the bank, and the attacker.
If firefox is configured to only allow certificates that are signed, then this wouldn't be possible, because the attacker couldn't do that unless they broke in to a certificate authority and got the private key needed to generate certificates, which would be a very bad thing. And much more difficult to do. - init100, on 08/24/2008, -0/+4I agree that the behavior is appropriate for certificates that have expired, but I don't agree that the behavior is appropriate for self-signed certificates. Since Firefox happily accepts unsecured connections, it should accept self-signed certificates too. They could even show an information bar (like the remember password bar) saying that the certificate isn't signed by a "trusted" certificate authority.
- volve, on 08/24/2008, -0/+4Recently I've been looking around, and I haven't seen any that provide identity validation for less than $250/year, which seems rather steep.
GoDaddySSL.com seems to have the cheapest single-domain SSL certs for I think $25/year, but I've love for someone to point me to where they're going for "$7-10/year" because it keeps being thrown around as the price point but I sure as hell can't find it.
(And I don't know if I'd trust GoDaddy for my CA...) - mohsenxp, on 08/24/2008, -0/+4Perhaps you're right. I am starting to think it's an add-on issue since not many people are reporting the same problems as me.
- taseedorf, on 08/24/2008, -3/+77 bucks a year? Try a few thousand.
- TheGuruStud, on 08/24/2008, -1/+5B/c almost everything is unencrypted....where have you been?
- bshep, on 08/24/2008, -0/+3go to about:config and change: browser.xul.error_pages.expert_bad_cert
more info here: http://kb.mozillazine.org/Browser.xul.error_pages. ... - Fergy, on 08/24/2008, -1/+4Why didn't you mention the name of the extension in your reaction?
WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. - HigherLogic, on 08/24/2008, -0/+3@comrade693: You're right, my mistake on that one!
- comrade693, on 08/24/2008, -0/+3Sure, the data is encrypted. But *who* is the data encrypted to? You can guess it's the right place, but you cannot be certain. This is why this is an error.
-
Show 51 - 100 of 103 discussions
© Digg Inc. 2009
— Content created and posted by Digg users is