Is it secure or not?
Firefox 3 allowed me to grant an exception on a self-signed SSL certificate for penta.debconf.org. The connection is crypted… But it seems Firefox does not realize it
Attachments
Comments
Anonymous 2008-06-26 00:15:13
True, “Not encrypted” is
True, “Not encrypted” is wrong, and “partially encrypted” would better describe the connection.
But because the browser gets the images/css through a plaintext link, a lot of information can/will leak:
- the adress of the https page will be available in the clear (broweser submits it in the referer field)
- if the site encodes login&passwd in the URL (..?id=123&pass=456), this infocmation is available in plaintext too.
So, it may well be a lot safer to just encrypt the whole connection. So mutch so, that I can even understand firefox reports it as ‘not encrypted’.
(I’m with you on the stupid ‘do you really wan tot connect to the scammers that didn’t pay big bucks to ssl cert providers, though)
