Is it secure or not?

Submitted by gwolf on Wed, 06/25/2008 - 10:11
Is it secure or not?

Firefox 3 allowed me to grant an exception on a self-signed SSL certificate for penta.debconf.org. The connection is crypted... But it seems Firefox does not realize it

( categories: )
Anonymous's picture

True, "Not encrypted" is

True, "Not encrypted" is wrong, and "partially encrypted" would better describe the connection.

But because the browser gets the images/css through a plaintext link, a lot of information can/will leak:
- the adress of the https page will be available in the clear (broweser submits it in the referer field)
- if the site encodes login&passwd in the URL (..?id=123&pass=456), this infocmation is available in plaintext too.

So, it may well be a lot safer to just encrypt the whole connection. So mutch so, that I can even understand firefox reports it as 'not encrypted'.

(I'm with you on the stupid 'do you really wan tot connect to the scammers that didn't pay big bucks to ssl cert providers, though)