June 26, 2006
How many people are turned away by the FC certificate?
Peter Gutmann asks:
Do you have any figures on how many security people your self-signed certificate is turning away? I'd be interested in knowing whether the indistinguishable-from-placebo effect of SSL certs also extends to a site used mainly by security people.
I have no idea! Anybody?
Posted by iang at June 26, 2006 04:48 AM
Isn't this like saying, "everyone who's not listening, raise your hand"?
Actually, I like that you have a self-signed certificate. The main reason I like it is that I use your site when I'm presenting on phishing and how to use SSL on the Internet. It is amazing how few people understand what that little lock means at the bottom of their browser, and it is even more amazing how few people know that you can double click that lock and get all sorts of interesting information. I use your site to show people what a potentially bogus site may look like (self-signed), while at the same time explaining to them that your site is not bogus.
Just to be pedantic: Ian isn't using a self-signed certificate, he's using a certificate issued by a CA (CAcert) whose root certificate is not pre-loaded in browsers.
To answer the original question, I doubt that the warning dialog deters anyone from accessing the site; I'm sure they click through the dialog just like people click through similar dialogs on intranet sites at their employers (like my former one) where the IT people for whatever reason didn't bother to acquire valid certificates. In both cases people know where they're going and aren't inclined to let a warning dialog get in their way :-)
Micheal: yes you are absolutely right. But let's not let a little logical impossibility slow us down ;) Practically speaking I don't know another way of contacing people who are turned away, but out there in the readership, there may be some "observations" of this.
'course the really funny thing is the I did say that once in a class...
You can actually do some digging in the apache logs to find out. I am running an operation, where people are very concerned about the security of their personal data (legal services for those harassed by the copyright maffia) and initially just used SSL with a self-signed cert. According to the logs, it did turn some people down.
The solution was to start off with a plain http site and write something along these lines: "in order to proceed to the secure website, please install this certificate first", where "this" is a link to the certificate file. Most browsers install it after some completely innocent click-through procedure. While the majority of users _do_not_ go through this procedure, just click "accept" when the SSL warning comes up, the amount of turned-down users was reduced to zero: those that would be scared of the browsers warning seem to be the same people, who are willing to click on installing the cert before using it.
All this is completely irrational. I disagree that a potentially bogus site will be self-signed. There's no correlation whatsoever between being bogus and having a certificate by one of the browser-blessed CAs. Most bogus sites do not bother with SSL at all. Those that do, pay for a certificate. Actually, self-signed certs are very rare for phishing sites. I have never seen a single one myself.
Opportunistic key exchange is the way to go and third-party certification is just a worthless signal, which is often worse than useless. WebMoney makes a point of running its own CA and not giving a rat's ass about other certifications. And that's a financial company operating in the Russian-speaking segment of the 'net which is known to have one of the highest fraud-rates in the networked world.
It's a problem for my RSS reader, which is flummoxed by the cert warning. If I want to read a post, I switch to the browser. If I find the summary interesting, I always switch and read the post, but my reading is often interspersed with grumbling about the cert. grumble grumble.
Forgot to mention - I wasn't able to get to this. On Netscape at least, it came up with one of those cert requestors:
"Unable to verify the identity of www2.futureware.at as a trusted site."
"Please notify the site's webmaster about this problem."
Accept permanantely/temporarily/not at all... OK/Cancel/Help
But whilst I can examine the certificate, asking it to accept it either permanently or temporarily just results in the same requestor being presented over and over... :-/