From: Robert Rothenberg Date: 16:02 on 18 Dec 2007 Subject: username.hates-software.com hate ------=_Part_15940_32686005.1197993766632 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline https://username.hates-software.com/ vs http://username.hates-software.com/ Of all things the former came up on Google searches. ------=_Part_15940_32686005.1197993766632 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline <br><a href="https://username.hates-software.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">https://username.hates-software.com/</a><br><br>vs<br><br><a href="http://username.hates-software.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> http://username.hates-software.com/</a><br><br>Of all things the former came up on Google searches. <br> ------=_Part_15940_32686005.1197993766632--
From: Peter da Silva Date: 16:23 on 18 Dec 2007 Subject: Re: username.hates-software.com hate On 2007-12-18, at 10:02, Robert Rothenberg wrote: > https://username.hates-software.com/ Cool! Self-signed *and* wrong address! Two hates for the price of one! Peter da Silva peter@xxxxxxx.xxx
From: Phil Pennock Date: 18:52 on 18 Dec 2007 Subject: Re: username.hates-software.com hate On 2007-12-18 at 10:23 -0600, Peter da Silva wrote: > On 2007-12-18, at 10:02, Robert Rothenberg wrote: >> https://username.hates-software.com/ > > Cool! Self-signed *and* wrong address! Two hates for the price of one! Don't worry, those problems will soon be Interesting. Switching hate: Firefox 3.0b1 Okay, the certificate is self-signed or has expired or whatever. I know, I'm not going to give any confidential data to them, their site just requires SSL, now let me in. Most browsers, you just click the little "I know what I'm doing" OK button, which for most users is the "Pwn Me" button as you just disable all MitM protection. Okay, most users just click OK without reading the text so you need to move away from that model, fair enough. Firefox 3 requires you to explicitly whitelist, with a couple of confirmations, the site as having a bad cert before letting you in. Won't really let you _look_ at the cert to see why it's bad. Won't let you do a one-shot ("I'm browsing, search engine suggested this site, I really don't know if it should have a broken cert or not, so why should I explicitly allow it to always be broken henceforth?"). No option that I can see in about:config or elsewhere for "I understand PKI, why and how it's broken and how lame this whole set-up is, I can make an informed assessment, let me visit the damned site with at most one click-through warning instead of having to open a security hole by setting a configuration policy _without even knowing anything about the site and how sensible this might be_: I know if it really requires server identity verification _after_ I've used it. So, self-signed problems will go soon. Oh, and loath wget(1) for not understanding subjectAltName DNS items and barfing because the main name doesn't match the host portion of the URL. Even if that idiocy were fixed now, it'd take years to percolate out to enough client systems. *sigh* -Phil
From: Peter da Silva Date: 20:50 on 18 Dec 2007 Subject: Re: username.hates-software.com hate On 2007-12-18, at 12:52, Phil Pennock wrote: > Firefox 3 requires you to explicitly whitelist, with a couple of > confirmations, the site as having a bad cert before letting you in. That is hateful in all kinds of ways. Look, the real problem is that SSL mixes up authentication with encryption. Yes, yes, I know the arguments about WHY it's like that, I happen to disagree with them: most cases what you really want to know is "has the certificate for this site I care about changed unexpectedly". And SSL doesn't really do that: if someone creates a new certificate for a site as long as it's signed the browser won't mention it. But at least you can say "Yes, I know that they're not using the PKI infrastructure, now keep going". > Won't really let you _look_ at the cert to see why it's bad. Ah, like when Microsoft "fixed" the word macro autorun bug... but if you disable the autorun macro you can't look at it, and if you want to be able to look at it you've gotta let it pwn you. WHAT IS SO HARD TO UNDERSTAND HERE? Hate.
Generated at 12:28 on 17 Feb 2008 by mariachi