SSL Encryption and HTML

[paul at pauldotcom.com (Paul Asadoorian)]

> I would advocate for the browsers to issue a warning (error maybe) when
> a self signed certificate was used to identify a service in addition to
> the warnings if a certificate was signed by an unknown/untrusted CA.

They do, and users click right through them.  However, the firefox and
IE warnings have gotten better and harder to click through.

> Concerning Extended Validation (EV) certificates, that's just a hokes:
> Google for "Faking Extended Validation SSL Certificates in Internet
> Explorer 7" and you should find a PDF document that describes how it works.
>
> In essence you can make your own certificates with EV and hit the green
> light.

Yes, EV has its problems as I eluded to it being only a thin layer.
That paper is from last year though and only references IE 7 as being
vulnerable. Has this bug been fixed (I did not have the change to
validate that it had)?  Is it possible to create a fake EV cert that
will trick Firefox?

Cheers,
Paul

-- 
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 257 bytes
Desc: OpenPGP digital signature
Url : http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20081029/98587bb5/attachment.pgp