Comments on: TODO: Break Internet http://blog.johnath.com/2007/10/11/todo-break-internet/ johnath in blog form Thu, 26 Jan 2012 13:11:15 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: meandering wildly » SSL Error Pages in Firefox 3.1 http://blog.johnath.com/2007/10/11/todo-break-internet/comment-page-1/#comment-211417 meandering wildly » SSL Error Pages in Firefox 3.1 Thu, 06 Nov 2008 17:36:04 +0000 http://blog.johnath.com/index.php/2007/10/11/todo-break-internet/#comment-211417 [...] the security indicators) instead of blocking them.  As I mentioned when we introduced these pages, that punishes people with safe habits, and lets them get victimized by the man in the middle attacks that are getting much easier to pull [...] [...] the security indicators) instead of blocking them.  As I mentioned when we introduced these pages, that punishes people with safe habits, and lets them get victimized by the man in the middle attacks that are getting much easier to pull [...]

]]> By: ClayRabbit http://blog.johnath.com/2007/10/11/todo-break-internet/comment-page-1/#comment-206589 ClayRabbit Thu, 25 Sep 2008 11:19:15 +0000 http://blog.johnath.com/index.php/2007/10/11/todo-break-internet/#comment-206589 I don't want to go through few clicks and windows every time I entering one of my servers or devices (which have self-signed certificates because we just don't need any identity verification at this place). I don't need such stupid "features" added for idiots who don't know what they do when clicking a buttons. So while I can't get usable behavior with FF3 I just forced to switch back to FF2 or another _more usable_ browser. Even IE7 have less paranoid (and still usable) behavior. I don’t want to go through few clicks and windows every time I entering one of my servers or devices (which have self-signed certificates because we just don’t need any identity verification at this place). I don’t need such stupid “features” added for idiots who don’t know what they do when clicking a buttons. So while I can’t get usable behavior with FF3 I just forced to switch back to FF2 or another _more usable_ browser. Even IE7 have less paranoid (and still usable) behavior.

]]> By: jpsykes » Blog Archive » Firefox’s Invalid Security Certificate http://blog.johnath.com/2007/10/11/todo-break-internet/comment-page-1/#comment-183783 jpsykes » Blog Archive » Firefox’s Invalid Security Certificate Mon, 07 Jul 2008 20:16:32 +0000 http://blog.johnath.com/index.php/2007/10/11/todo-break-internet/#comment-183783 [...] found one of the devs on Mozilla had an awesome blog post about the original bug. Included in it was this priceless screen shot showing the old popup and [...] [...] found one of the devs on Mozilla had an awesome blog post about the original bug. Included in it was this priceless screen shot showing the old popup and [...]

]]> By: Johnath http://blog.johnath.com/2007/10/11/todo-break-internet/comment-page-1/#comment-172569 Johnath Sun, 08 Jun 2008 03:24:58 +0000 http://blog.johnath.com/index.php/2007/10/11/todo-break-internet/#comment-172569 @CPScott - For reasons that I should hope are obvious, I don't exactly advertise it, but you might find this addon makes your life easier. https://addons.mozilla.org/en-US/firefox/addon/6843 @CPScott – For reasons that I should hope are obvious, I don’t exactly advertise it, but you might find this addon makes your life easier.

https://addons.mozilla.org/en-US/firefox/addon/6843

]]> By: CPScott http://blog.johnath.com/2007/10/11/todo-break-internet/comment-page-1/#comment-172525 CPScott Sat, 07 Jun 2008 22:35:19 +0000 http://blog.johnath.com/index.php/2007/10/11/todo-break-internet/#comment-172525 Thanks for the post. One problem I have, is that I work for a hardware appliance manufacturer, and on a daily basis, I have multiple workstations connecting to multiple new devices that just came up with a self signed certificate. Every new OS load means a new, generated self-signed cert. I'd like to find a plugin or option that allows insecure certs on a range of addresses, whether RFC1918 addresses only, or something like that, so that I can just get on with configuring my test hosts, and not have to worry about the security. I know the sites are insecure, and it drives me batshit crazy trying to get the new box up and running to get a base configuration on it, including using openssl to create a new cert from a local CA on my workstation. Please make this feature more flexible. Please. I get it in an end-user environment, but not in a QA or Manufacturing facility. I know we're a 1% minority of the community, but if Mozilla wants us to test the product with their browser, it shouldn't hurt so much to bring up a test site. Thanks for the post. One problem I have, is that I work for a hardware appliance manufacturer, and on a daily basis, I have multiple workstations connecting to multiple new devices that just came up with a self signed certificate. Every new OS load means a new, generated self-signed cert.

I’d like to find a plugin or option that allows insecure certs on a range of addresses, whether RFC1918 addresses only, or something like that, so that I can just get on with configuring my test hosts, and not have to worry about the security. I know the sites are insecure, and it drives me batshit crazy trying to get the new box up and running to get a base configuration on it, including using openssl to create a new cert from a local CA on my workstation.

Please make this feature more flexible. Please. I get it in an end-user environment, but not in a QA or Manufacturing facility. I know we’re a 1% minority of the community, but if Mozilla wants us to test the product with their browser, it shouldn’t hurt so much to bring up a test site.

]]> By: The Gacko http://blog.johnath.com/2007/10/11/todo-break-internet/comment-page-1/#comment-160247 The Gacko Wed, 30 Apr 2008 15:05:29 +0000 http://blog.johnath.com/index.php/2007/10/11/todo-break-internet/#comment-160247 Excellent Post. Ive been looking for any article that explained the self-signed cert issue etc in ahhh proper english and clearly outlined the pro's and cons's and why browsers work that way blah blah.. reallly helped. Excellent Post. Ive been looking for any article that explained the self-signed cert issue etc in ahhh proper english and clearly outlined the pro’s and cons’s and why browsers work that way blah blah.. reallly helped.

]]> By: Mobwairetharie http://blog.johnath.com/2007/10/11/todo-break-internet/comment-page-1/#comment-105961 Mobwairetharie Wed, 05 Dec 2007 23:05:13 +0000 http://blog.johnath.com/index.php/2007/10/11/todo-break-internet/#comment-105961 hm.. nice post man. hm.. nice post man.

]]> By: Kragen Sitaker http://blog.johnath.com/2007/10/11/todo-break-internet/comment-page-1/#comment-95006 Kragen Sitaker Sun, 11 Nov 2007 06:53:00 +0000 http://blog.johnath.com/index.php/2007/10/11/todo-break-internet/#comment-95006 I second Iang's comments. It's absolutely insane that browsers make it appear that using encryption to talk to a web site --- if it isn't certified by Verisign --- is more dangerous than talking to the same web site without encryption. I second Iang’s comments. It’s absolutely insane that browsers make it appear that using encryption to talk to a web site — if it isn’t certified by Verisign — is more dangerous than talking to the same web site without encryption.

]]> By: Anonymous http://blog.johnath.com/2007/10/11/todo-break-internet/comment-page-1/#comment-94219 Anonymous Fri, 09 Nov 2007 19:47:09 +0000 http://blog.johnath.com/index.php/2007/10/11/todo-break-internet/#comment-94219 I will further second the complaint about treating self-signed certificates as an error. SSL exists to provide encryption, and sucks massively as an identity protocol. An SSL cert means two things to me: encryption occurs, and money changed hands. That second one doesn't mean "identity", no matter how much people might think it does. Witness the various documented cases of people obtaining SSL certificates for well-known business names. I will further second the complaint about treating self-signed certificates as an error. SSL exists to provide encryption, and sucks massively as an identity protocol. An SSL cert means two things to me: encryption occurs, and money changed hands. That second one doesn’t mean “identity”, no matter how much people might think it does. Witness the various documented cases of people obtaining SSL certificates for well-known business names.

]]> By: Goolic http://blog.johnath.com/2007/10/11/todo-break-internet/comment-page-1/#comment-86680 Goolic Sun, 21 Oct 2007 06:44:47 +0000 http://blog.johnath.com/index.php/2007/10/11/todo-break-internet/#comment-86680 I´m sorry but I don´t have time to see if this was already suggested. Why don't use a IE like page that when clicking "Continue to this website (not recommended)" will led the user to a page that reads in big read letters "By entering this site some attacker can take the data you enter on the website". And make the user wait like 3 seconds for the first 3 times he tries to enter the site. Later just the warning appears. Seems a good trade off between making users aware/angry... I´m sorry but I don´t have time to see if this was already suggested.

Why don’t use a IE like page that when clicking “Continue to this website (not recommended)”
will led the user to a page that reads in big read letters “By entering this site some attacker can take the data you enter on the website”. And make the user wait like 3 seconds for the first 3 times he tries to enter the site. Later just the warning appears.

Seems a good trade off between making users aware/angry…

]]>