Linked by Thom Holwerda on Tue 25th May 2010 21:37 UTC
Google Looking at the past few week of Google news, you'll be forgiven for thinking Google doesn't do anything else beyond making Android. While there's sexier stuff going on within Google, the company is also still trying to improve its core user service: search. They've launched encrypted search today, and it will be rolled out across the world in the coming days.
Thread beginning with comment 426650
To view parent comment, click here.
To read all comments associated with this story, please click here.
Piranha
Member since:
2008-06-24

It's because a MITM attack is so much easier. An attacker could be placed in the middle, and hand you HIS self signed certificate, while connecting to the legit site on your behalf and read ALL your data (meaning the ssl is now useless). At least now with a limited number of signing authorities, it's damn near impossible to do this. If a certificate authority goes rogue, then the browsers just need to remove their root server.

Besides, Startcom provides FREE class 1 ssl certificates and are available in every major browser (except Opera, but I believe they fixed that now). My domain runs off it, and never receiving the "WARNING" when I switch computers or browsers is very reassuring.


If you don't want the warning prompts from your own self signed certificates, then just install your signing cert into your browser. However, it's quite a hassle to get visitors to your site if they all get the warning.

Reply Parent Score: 1

jabbotts Member since:
2007-09-06

Actually, third party certificate validation isn't as rock solid as people like to think either. Unless you pay the premium protection racket fee for cert that validates all the way back up the chain (usually involving a grand or two in fees and a background check) MITM is still mostly limited by being able to position one inbetween of the two stream ends.

Mix a little Dan Kaminski DNS magic with some Moxie Marlinspike SSL MITM and whammo!

So, it's still down to bit strength and strong cert validation.

Edited 2010-05-27 18:29 UTC

Reply Parent Score: 2