|
Title: Self signed certificate at glbse.com Post by: KenJackson on June 30, 2011, 12:25:31 AM I've been surfing around looking at different bitcoin sites and
one I've seen is a link to is the GLobal Bitcoin Stock Exchange (http://glbse.com). But when I click on it, I get this: Quote This Connection is Untrusted You have asked Firefox to connect securely to glbse.com, but we can't confirm that your connection is secure. ... The certificate is not trusted because it is self-signed. What's the deal? Why don't they have a legitimate certificate? Title: Re: Self signed certificate at glbse.com Post by: ribuck on June 30, 2011, 11:23:54 AM What's the deal? Why don't they have a legitimate certificate? Oh, a self-signed certificate is perfectly legitimate. It actually provides better privacy than a purchased certificate. The only thing a self-signed certificate doesn't provide is any assurance that a third party has confirmed the identity of the website. But you can obtain that assurance yourself by reading around this forum. Unfortunately, the browser message is very frighteningly-worded. Which is just how the sellers of commercial certificates like it. Title: Re: Self signed certificate at glbse.com Post by: Arxan on June 30, 2011, 11:28:50 AM What's the deal? Why don't they have a legitimate certificate? Oh, a self-signed certificate is perfectly legitimate. It actually provides better privacy than a purchased certificate. The only thing a self-signed certificate doesn't provide is any assurance that a third party has confirmed the identity of the website. But you can obtain that assurance yourself by reading around this forum. Unfortunately, the browser message is very frighteningly-worded. Which is just how the sellers of commercial certificates like it. and leaves its customers open to man in the middle attacks because then you have no convenient way to distinguish between the legitimate self-signed cert and an attacker's cert. I wouldn't trust anything of value to a site that used self-signed certs or a private CA unless I went through extra effort to verify that it was ok. Title: Re: Self signed certificate at glbse.com Post by: JeroenV1990 on June 30, 2011, 11:31:06 AM Seems ok, you can always do a WHOIS(WHO-IS).
Title: Re: Self signed certificate at glbse.com Post by: abtcus on June 30, 2011, 12:32:38 PM What's the deal? Why don't they have a legitimate certificate? Oh, a self-signed certificate is perfectly legitimate. It actually provides better privacy than a purchased certificate. The only thing a self-signed certificate doesn't provide is any assurance that a third party has confirmed the identity of the website. But you can obtain that assurance yourself by reading around this forum. Unfortunately, the browser message is very frighteningly-worded. Which is just how the sellers of commercial certificates like it. This is only partly correct. While you can generally trust a self signed certificate to establish an ssl connection, haphazardly allowing the self signed paypa1.com to get the immediate go-ahead from a browser is a terrible idea. The warning pages are essentially asking users: are you sure you know what you are about to fucking do? If anything, browsers are too lax towards established certificated authorities. Title: Re: Self signed certificate at glbse.com Post by: ribuck on June 30, 2011, 01:55:38 PM ... and leaves its customers open to man in the middle attacks because then you have no convenient way to distinguish between the legitimate self-signed cert and an attacker's cert... True enough. But how do you conveniently distinguish between a legitimate purchased cert and a cert that was sold to the CIA by a compliant cert-issuer?I wouldn't trust anything of value to a site that used self-signed certs or a private CA unless I went through extra effort to verify that it was ok. Fair enough.Anyway, regardless of the technical issues, a service will not be commercially successful if it causes the browser to display frightening messages. Title: Re: Self signed certificate at glbse.com Post by: KenJackson on June 30, 2011, 04:45:26 PM I appreciate everyone's input.
And I think there is an additional point. Any company that wants to do any amount of business with the public can't remain anonymous. If we assume that this company wants to do business with the public and to grow its market share and to be respected and trusted--then it MUST have a chain of trust backing up it's website certificate. And it MUST NOT be anonymous. But back to my question, I wonder if they don't understand this, if there is some temporary problem they're working on, or if they have some lurking ill-intent. Title: Re: Self signed certificate at glbse.com Post by: alfred on July 22, 2011, 03:51:59 AM I really think they should get a proper cert. That browser warning makes me think the site has been compromised.
|