Call me a cynic, but I see it more like aiding continued extortion by CAs. Yes, it's nice to get rid of SSLv2, but most user-noticable changes will be draconian scare-the-living-bejeezus-out-of-the-user rendering effects in case of slightest non-compliance with the X.509 PKI model.
For instance, this blog will be one hell to read, because
1. name mismatch between the https links and the certificate
2. no signature chain from a trusted root
Your readers will have the url displayed on red background and have to go through a lot of scary warnings, before accessing the root.
Also, I am curious, how they are planning to live up to their promise of rendering insecure content embedded in secure pages (images, etc) differently: what if the stylesheet is thhe insecure embedded content? You can achieve pretty much any visual effect using the stylesheet, after all.
Posted by Daniel A. Nagy at October 25, 2005 07:51 PMStimulated by your on-going crusade, I decided to turn off ssl v2 in my browser -- Galeon. I couldn't find any option to do so. In fact, I couldn't find any option to configure *any* security features of any kind. Finally I learned that you can type "about:config" into the URL field to see the current config. Browsing through it, I found that ssl v2 was already disabled, as was md5 and any algorithm with < 128 bit key sizes.
Posted by Z at October 26, 2005 11:09 AMThe webpages for Wells Fargo customer account activity still contain links to other https sites. Now this is a https link to some image on akamai.net - a few months ago this was a https link to something invisible on ad.doubleclick.net. It really bothers me that MY browser contacts these other organizations when it displays an account activity page. I am shocked to see this not generate an error in my browser. My browser complains if a https webpage contains an image coming from any HTTP link (even one at Wells Fargo), but it allows images without complaint from anywhere on internet if the image is HTTPS.
Will these proposed IE7 changes put an end to this behavior? I'm not sure what my fear is here - my bank can give out all my information to everyone anyway. I'd just like assurance that my yellow https address bar tells me *everything* is coming from *that* website, encrypted.
Posted by Logi Mess at November 1, 2005 08:09 PM