Mohammed Sameer's Online Aggregator

Federico: Completely agree. In fact, you’re now training people to go through a whole new “ignore security” conditioning - previously it was just “Add exception” or whatever. Now it’s “Next, Next, Add exception, Get certificate, Next”.

From that presentation you link to, this statistic stood out:

SecuritySpace survey found that 58% of all SSL certificates were invalid (expired, self-signed, unknown CA, incorrect domain, etc)

He also said that “most people only see the valid certs from big sites, so this problem isn’t very visible,” which is the point that MoCo makes.

I discussed this with Gerv during OSCON, and his take on it was towing the party line:

• Your cert is expired? Fix it already
• Your cert is from a different domain? Fix it already
• You’re self-signing a cert instead of paying $10 a year for one signed by a CA? Spend the money!
• If you’re running a volunteer site, and want a self-signed cert just to encrypt usernames & passwords, your visitors represent less than 1% of the internet population, sucks to be you!

(this is a paraphrasal of my memory of the conversation).

I may be an edge case, but I seem to run into an awful lot of sites where the absolute correct thing for me to do is “Add exception Next Get certificate Next Next”. Sucks to be me, I guess.