[Gllug] Polipo - Was: Caching youtube videos

Stuart Children stuart at terminus.co.uk
Mon Oct 6 19:42:26 UTC 2008 

On Mon, Oct 06, 2008 at 11:48:32AM +0100, Richard Jones wrote:
> Sorry, I missed the best bit there.  If I click on this, I get a popup
> which says:
> 
>   You should not add an exception if you are using an internet
>   connection that you do not trust completely or if you are not used to
>   seeing a warning for this server.
> 
>     [ GET ME OUT OF HERE! ]  [ ADD EXCEPTION ... ]

Yes, and if you follow the add exception process through, the certificate 
(and the fact that you trust it) is stored and on next visits you go straight 
through with nary a word. Is that not the case? Yet in your original email 
you said:

> The recent change to Firefox 3
> where it now refuses to go to sites that have self-signed certificates

Maybe you meant it differently, but that sounds to me like there is no way to
visit those sites - which is not true. You also said:

> Instead it should act like ssh -- show the key when you first visit a
> site, show nothing on subsequent visits unless the key changes.

Which I think it does. Now this:

$ ssh blah.example
The authenticity of host 'blah.example (10.1.2.3)' can't be
established.
RSA key fingerprint is aa:bb:some:more:hex.
Are you sure you want to continue connecting (yes/no)?

I will happily agree is far more succinct, less scare-mongering, simpler, yet
accurate. Still, the basic flow is the same.

> This is utterly ass-backwards.  Why don't I get a stronger warning
> when I visit an unencrypted page?

I didn't make any comment on that. To answer though, in an ideal world I
agree it should. Being more pragmatic however, it's because the vast majority 
of the web is HTTP and there is no meaningful way to add a trust. People also 
think HTTPS == can be trusted, which you and I know is not the whole story.
We can make informed decisions on what to do - most people can't. So Firefox 
has made a compromise. I do think the wording is too extreme, and that we
would be better off long-term educating people; but I understand their 
reasoning. Personally I find being prompted when I hit a new SSL cert, but 
not on ones I have previously verified and trusted, an improvement on 
Firefox's previous behaviour.

-- 
Stuart
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list