Hmmm… well, I see what you are saying, but at a high level there has to be a flaw here somewhere. Consider the open HTTP site. And consider a totally secured site over SSL (plus all the goodies we can throw in). If we call one end “totally insecure” and the other end “totally secure,” and put all the other options in-between, then they must be … somewhere in-between.

Possibly, the assumption that traps us here is that self-signed certs have to be placed in either the “insecure” basket or the “secure” basket. This is a false choice, more reasonably, the self-signed cert lives somewhere in the middle, in its own possibly poor box (better than open HTTP as it defeats all passive listening but not as good as better options, perhaps).

Certainly if you were to treat self-signed certs as “good as CA-signed” that would open a new attack vector. But that’s a failure of assumptions, there are more than 2 choices, as aptly shown by recent green additions.

What would be more of a present, today, argument is that the whole security UI area is so mired in history, polemic, and security failure that adding in a new basket now might just cause more trouble than it’s worth. Then, as perhaps you suggest, KCM is a good way of overcoming the combined weight of history, etc, because it does force an entirely new security UI on the user, which therefore wipes the slate clean of old attack vectors (letting new ones be written on the slate, of course…).

> Sure it can, it’s called phishing?! Maybe we are talking about different things here; but
> the usage of http no-cert pages to pretend to be a https site is well established, and far
> outweighs the use of HTTPS to MITM other HTTPS sites.

Yes, we are absolutely in agreement that the vast majority of phishing these days has no need for https at all, since the indicators, or their absence, are not enough on their own to prevent such a thing. But letting self-signed certs through quietly without KCM creates a new attack vector. It lets people MitM https sites without needing victims to fall for a phish – they can type the address in themselves, or use a trusted bookmark, and STILL have a site masquerade at the real one.

When self-signed certs are untrusted by default, this attack is mitigated, since only a CA-signed cert will be taken as valid, but it introduces the unfortunate side effect that sites with the desire to secure communications without establishing an identity have a relatively more painful first experience. KCM makes that better, and I wish we could have gotten there from here in one release, instead of two, but it is still my hope that we will get there.

I’ve heard people complain that KCM still lets a MitM attack through in the case where a) a user types in the full https url, and b) the user has never been the site before. Sure, that’s possible, but I think that trading that off against the convenience of self-signed certs is a lot more palatable than the trade-off originally suggested above, where we just let them all through and cross our fingers that SSL-based MitM attacks stay rare.

> Yup, because a page without a certificate at all can’t MitM an https URL

Sure it can, it’s called phishing?! Maybe we are talking about different things here; but the usage of http no-cert pages to pretend to be a https site is well established, and far outweighs the use of HTTPS to MITM other HTTPS sites.

Do you mean that the “using TLS” indicators (padlock, domain, CA, yellow URL) can’t be mimiced by the http no-cert page? I would demur, “absence of indicators” is a poor security tool because the … the user can’t see them to be reminded that they should be there. And, the security context is defined by what the user sees and can be fooled by, not by the security architect defining where the protection stops…

KCM / petnames / secure bookmarks is the best answer I know to MITMs, yes. If not KCM, stick the CA name on the chrome, change the entire look & feel for all cert use (whole thing yellow, or even different colours per CA), and try and move more traffic to TLS via SNI. Yes, I know Firefox has done the latter part, thanks!