Re: [TLS] Eleven out of every ten SSL certs aren't valid

[Marsh Ray <marsh@extendedsubset.com>]

On 06/30/2010 04:14 PM, aerowolf@gmail.com wrote:
>
> On Tue, Jun 29, 2010 at 12:13 PM, Marsh Ray <marsh@extendedsubset.com>
> wrote:
>> First of all, count me as one who thinks Ivan's work is really cool.
>>
>> On 06/29/2010 01:29 PM, Ivan Ristic wrote:
>>>
>>> The problem with that view is that, while the users are experiencing
>>> all those sites with invalid certificates they are getting used to the
>>> idea that nothing bad comes from browser warnings.
>>
>> But we don't know that, do we?
>
> Yes, actually we do.

I think I got a bit out of context there. Serves me right for being curt.

I intended to mean "the data collection methodology does not allow us to 
accurately relate a cert validation failure for a hostname chosen 
arbitrarily from the sample set with a user experiencing an invalid cert 
warning in their browser."

> There are several specific cases that exist in
> Mozilla's bug database, including one from a woman who was continuously
> MITM'd for every site she went to from a particular publicly-accessible
> wireless access point. She clicked through all the warnings, thinking
> that they were problems with Firefox, when Firefox was indeed providing
> her with valid and appropriate warnings.

Has no one else used a net connection from a library or a hotel? They 
try to MitM me every time. I saw a guy using the web on the plane. The 
airline's ISP was inserting javascript into his HTTP stream to inject 
frames and pop-up ads on every page. It's pretty easy to estimate what 
the chances are that that's not introducing any new security holes.

Thankfully SSL/TLS is there for me and, rather than pulling off a 
successful MitM, hotels are forced to simply block port 443 until I pull 
up their sign-on page via port 80. If it were not for CAs (bless their 
hearts) there would be no way I could connect securely to a site I 
hadn't previously negotiated a shared secret with.

- Marsh