[cryptography] Let's go back to the beginning on this

Steven Bellovin smb at cs.columbia.edu
Tue Sep 13 14:57:29 EDT 2011


On Sep 13, 2011, at 2:22 28PM, Andy Steingruebl wrote:

> On Tue, Sep 13, 2011 at 10:48 AM, Steven Bellovin <smb at cs.columbia.edu> wrote:
> 
>> Furthermore,
>> they're probably right; most of the certificate errors I've
>> seen over the years were from ordinary carelessness or errors,
>> rather than an attack; clicking "OK" is *precisely* the right
>> thing to do.
> 
> Is anyone aware of any up-to-date data on this btw?  I've had
> discussions with the browser makers and they have some data, but I
> wonder whether anyone else has any data at scale of how often users
> really do run into cert warnings these days. They used to be quite
> common, but other than 1 or 2 sites I visit regularly that I know ave
> self-signed certs, I *never* run into cert warnings anymore.   BTW,
> I'm excluding "mixed content" warnings from this for the moment
> because they are a different but related issue.

From personal experience -- I use https to read news.google.com; Firefox 6
on a Mac complains about wildcard certificates.  And ietf.org's certificate
expired recently; it took a day or so to get a new one installed.


		--Steve Bellovin, https://www.cs.columbia.edu/~smb








More information about the cryptography mailing list