Bitcoin Forum
December 07, 2016, 12:35:05 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Self signed certificate at glbse.com  (Read 756 times)
KenJackson
Member
**
Offline Offline

Activity: 116



View Profile
June 30, 2011, 12:25:31 AM
 #1

I've been surfing around looking at different bitcoin sites and 
one I've seen is a link to is the GLobal Bitcoin Stock Exchange.

But when I click on it, I get this:

Quote
This Connection is Untrusted
You have asked Firefox to connect securely to glbse.com,
but we can't confirm that your connection is secure.
...
The certificate is not trusted because it is self-signed.

What's the deal?  Why don't they have a legitimate certificate?
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481114105
Hero Member
*
Offline Offline

Posts: 1481114105

View Profile Personal Message (Offline)

Ignore
1481114105
Reply with quote  #2

1481114105
Report to moderator
1481114105
Hero Member
*
Offline Offline

Posts: 1481114105

View Profile Personal Message (Offline)

Ignore
1481114105
Reply with quote  #2

1481114105
Report to moderator
ribuck
Donator
Legendary
*
Offline Offline

Activity: 826


View Profile
June 30, 2011, 11:23:54 AM
 #2

What's the deal?  Why don't they have a legitimate certificate?

Oh, a self-signed certificate is perfectly legitimate. It actually provides better privacy than a purchased certificate.

The only thing a self-signed certificate doesn't provide is any assurance that a third party has confirmed the identity of the website. But you can obtain that assurance yourself by reading around this forum.

Unfortunately, the browser message is very frighteningly-worded. Which is just how the sellers of commercial certificates like it.
Arxan
Newbie
*
Offline Offline

Activity: 11


View Profile
June 30, 2011, 11:28:50 AM
 #3

What's the deal?  Why don't they have a legitimate certificate?

Oh, a self-signed certificate is perfectly legitimate. It actually provides better privacy than a purchased certificate.

The only thing a self-signed certificate doesn't provide is any assurance that a third party has confirmed the identity of the website. But you can obtain that assurance yourself by reading around this forum.

Unfortunately, the browser message is very frighteningly-worded. Which is just how the sellers of commercial certificates like it.

and leaves its customers open to man in the middle attacks because then you have no convenient way to distinguish between the legitimate self-signed cert and an attacker's cert.  I wouldn't trust anything of value to a site that used self-signed certs or a private CA unless I went through extra effort to verify that it was ok.
JeroenV1990
Newbie
*
Offline Offline

Activity: 26


View Profile
June 30, 2011, 11:31:06 AM
 #4

Seems ok, you can always do a WHOIS(WHO-IS).
abtcus
Newbie
*
Offline Offline

Activity: 4


View Profile
June 30, 2011, 12:32:38 PM
 #5

What's the deal?  Why don't they have a legitimate certificate?

Oh, a self-signed certificate is perfectly legitimate. It actually provides better privacy than a purchased certificate.

The only thing a self-signed certificate doesn't provide is any assurance that a third party has confirmed the identity of the website. But you can obtain that assurance yourself by reading around this forum.

Unfortunately, the browser message is very frighteningly-worded. Which is just how the sellers of commercial certificates like it.

This is only partly correct. While you can generally trust a self signed certificate to establish an ssl connection, haphazardly allowing the self signed paypa1.com to get the immediate go-ahead from a browser is a terrible idea. The warning pages are essentially asking users: are you sure you know what you are about to fucking do? If anything, browsers are too lax towards established certificated authorities.
ribuck
Donator
Legendary
*
Offline Offline

Activity: 826


View Profile
June 30, 2011, 01:55:38 PM
 #6

... and leaves its customers open to man in the middle attacks because then you have no convenient way to distinguish between the legitimate self-signed cert and an attacker's cert...
True enough. But how do you conveniently distinguish between a legitimate purchased cert and a cert that was sold to the CIA by a compliant cert-issuer?

I wouldn't trust anything of value to a site that used self-signed certs or a private CA unless I went through extra effort to verify that it was ok.
Fair enough.

Anyway, regardless of the technical issues, a service will not be commercially successful if it causes the browser to display frightening messages.
KenJackson
Member
**
Offline Offline

Activity: 116



View Profile
June 30, 2011, 04:45:26 PM
 #7

I appreciate everyone's input.

And I think there is an additional point.  Any company that wants to do any amount of business with the public can't remain anonymous.

If we assume that this company wants to do business with the public and to grow its market share and to be respected and trusted--then it MUST have a chain of trust backing up it's website certificate.  And it MUST NOT be anonymous.

But back to my question, I wonder if they don't understand this, if there is some temporary problem they're working on, or if they have some lurking ill-intent.

alfred
Newbie
*
Offline Offline

Activity: 26


View Profile WWW
July 22, 2011, 03:51:59 AM
 #8

I really think they should get a proper cert. That browser warning makes me think the site has been compromised.

http://www.xidcapital.com
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!