Firefox 3 allowed me to grant an exception on a self-signed SSL certificate for penta.debconf.org. The connection is crypted... But it seems Firefox does not realize it
Submitted by Anonymous (not verified) on Thu, 06/26/2008 - 07:15.
True, "Not encrypted" is wrong, and "partially encrypted" would better describe the connection.
But because the browser gets the images/css through a plaintext link, a lot of information can/will leak:
- the adress of the https page will be available in the clear (broweser submits it in the referer field)
- if the site encodes login&passwd in the URL (..?id=123&pass=456), this infocmation is available in plaintext too.
So, it may well be a lot safer to just encrypt the whole connection. So mutch so, that I can even understand firefox reports it as 'not encrypted'.
(I'm with you on the stupid 'do you really wan tot connect to the scammers that didn't pay big bucks to ssl cert providers, though)
True, "Not encrypted" is
True, "Not encrypted" is wrong, and "partially encrypted" would better describe the connection.
But because the browser gets the images/css through a plaintext link, a lot of information can/will leak:
- the adress of the https page will be available in the clear (broweser submits it in the referer field)
- if the site encodes login&passwd in the URL (..?id=123&pass=456), this infocmation is available in plaintext too.
So, it may well be a lot safer to just encrypt the whole connection. So mutch so, that I can even understand firefox reports it as 'not encrypted'.
(I'm with you on the stupid 'do you really wan tot connect to the scammers that didn't pay big bucks to ssl cert providers, though)
Post new comment