Hacker Neue

Preferences
nikanj parent
What do I need these certificates for? I need them because browsers have started equating a vanilla http server to a malware-infested North Korean honeypot
dspillett
> browsers have started equating a vanilla http server to a malware-infested North Korean honeypot

It isn't that they are equal, just that it is difficult to tell them apart. The change over time is that UAs have more and more erred on the side of not trusting when there is any question.

Of course HTTPS sites with valid certificates could also be malware infested hot zones, but it is less likely. Sites with invalid certs are more likely to be a problem than those with no cert (the situation might imply a DNS poisoning issue for instance), and sites with no cert are a higher risk than those with a valid one.

At least we seem to have dropped the EV cert theatre, the extra checks done before issuing one of those were so easy to fake or work around in many cases that they essentially meant nothing [source: in DayJob we once had an EV cert for a client instance, and I know how easy it was to get because I was the person at our end who applied for it and installed it once issued].

immibis
Have they? All I see is a little message saying "not secure". They've backtracked from trying to impose a scare screen, and they've even backtracked from displaying a red line through the letters "http".

They've also blocked JavaScript access to things like cameras and microphones if you're not using HTTPS. If it were up to me they'd always block them and you'd have to install an app, but still.

This item has no comments currently.