On Mon, 31 Mar 2014 23:23:07 +0000, Carlos E. R. wrote:
> On 2014-04-01 00:30, Jim Henderson wrote:
>> On Mon, 31 Mar 2014 21:23:07 +0000, Carlos E. R. wrote:
>
>
>> I didn’t say that it /doesn’t/ happen, I said that it /shouldn’t/
>> happen,
>> and when it does, the owners of the website need to be told that
>> they’re risking their customers’ security, because they are.
>
> Oh, they know! And they don’t care.
Then maybe it’s time to get it reported in the press.
Either way, I repeat what I said before: They /shouldn’t/ do that. That
doesn’t mean it doesn’t happen.
>> Of course there are broken sites on the Internet - I never claimed that
>> there weren’t. I merely said that the site owners should be notified -
>> repeatedly if necessary - if they’re doing security wrong, because
>> they’re creating a risk for their users.
>
> Well, as I said, Novell is using self signed certificates on some of
> their sites, where the software we use is created and maintained 
Well, and again, they shouldn’t really be doing that, so send feedback on
the website. There’s a “contact us” link at the bottom of each page. Or
provide that info in a PM here, and I’ll pass it along. If that’s
happening, it shouldn’t - and they /should/ know better. It’s not like
they don’t have actual valid certificates with a valid trust chain back
to a public CA.
> The idea is that once you accept one of these certificates, the user can
> detect a change or an intercept later on. But of course, when that
> happens, the user might simply accept the change too…
I’ve been doing identity/security stuff for nearly two decades now - I do
know how this works. I’ve generated self-signed certificates myself for
my own identity stores, both in production (but not for external websites
- because that’s not how you /do/ that) and in the lab.
You’re not explaining this to some neophyte who’s unaware of how things
are done. 
Jim
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C