Re: for the security minded web developer - secure way to login?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



'Twas brillig, and Per Jessen at 16/02/09 13:49 did gyre and gimble:
Colin Guthrie wrote:

Yeah the cheap CA's are IMO actually a problem.

I (personally) think we should have a new system for this scenario:

http:// = totally insecure
https:// = secure and to a reasonable degree of trust (e.g. no $12.00
certs!)
httpus:// = secure but no aspect of trust.

Colin, I think you're mixing apples and oranges here - http(s) was never
meant to provide any indication of "trust". Besides, how do you suggest
we distinguish between CAs "with no trust" and CAs "with trust"?

Well you're probably right.

I appreciate that https doesn't provide "trust" by default, but ultimately that's how Joe Bloggs public has been told to deal with it "look for the padlock" etc. etc. to be sure that your session is secure blah blah. Now with the HV certs the UI also has the company name in the URL and this *is* going towards a trust infrastructure.

Perhaps where we should go is that even if the URL is https:// there is no UI change in the browser. Only if the cert is trusted by a CA should the browser UI change to indicate this in some way, with HV certs being explicitly indicated as such to increase the "trust" aspect.

That way you can use https + self singed cert without getting any warnings but also without any disadvantages too.

Col

--

Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/

Day Job:
  Tribalogic Limited [http://www.tribalogic.net/]
Open Source:
  Mandriva Linux Contributor [http://www.mandriva.com/]
  PulseAudio Hacker [http://www.pulseaudio.org/]
  Trac Hacker [http://trac.edgewall.org/]


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux