On Wed, Dec 14, 2011 at 02:04:37PM +0100, rey sebastien wrote: [browsers don't trust certificates they haven't been told to trust] > Is there any solution to bypass this problem ? With another type of > self signed certificate wich need no CA ? or contain the Ca i don't > know ? That would be like taking the front door off of your house because you're tired of unlocking it every day. A self-signed certficate is, essentially, its own CA. (Every "root" CA certificate is self-signed.) Browsers come with lists of CAs' certificates which they are "told" to trust out-of-the-box. If the browser encounters a certificate which is not in that list, and which is not signed by some unbroken chain of certificates which leads back to a certificate in that list, then it complains, because it has no way to know that you trust that certificate. If you tell the browser to trust that certificate, the browser will thereafter assume that you know your own business and will not complain about it anymore. The dialog is asking: whom do you trust? If it were possible for a website to evade this, SSL/TLS would be useless for verifying that you are talking to the website you think you are. The conversation would still be encrypted, but having an encrypted conversation with an unknown party doesn't sound secure to me. -- Mark H. Wood, Lead System Programmer mwood@xxxxxxxxx Asking whether markets are efficient is like asking whether people are smart.
Attachment:
pgpGNpf27sEBP.pgp
Description: PGP signature
|