Disable https warnings

anything I don't mind

anything I don't mind

anything I don't mind

Permabanned
Joined
28 Dec 2009
Posts
13,052
Location
london
Does anyone know how to disable browser warnings for self signed ssl certificates? I can find some information about it for IE. But none for opera or firefox.

There must be a way to prevent the browser from asking for confirmation when accepting self signed certificates. Anyone know?
 
for firefox, go to the self signed site, view the certificate and install it, that should stop any subsequent warnings
 
Accepting the cert and installing it are different things though.

You need to add the cert to the browsers certificate list so it knows to trust it.

Not used Opera so don't know the process there I'm afraid.
 
When you go to paypal a cert isn't automatically installed. Your computer comes with pre-installed root certs for the issuing authorities to which the paypal cert is compared against for validation.

Automatically accepting/installing all self signed certs is incredibly stupid.
 
It's not that the cert is automatically installed when you browse paypal, it's that the issuing CA of that certificate is already trusted in your browser.
 
ubern00b said:
When you go to paypal a cert isn't automatically installed. Your computer comes with pre-installed root certs for the issuing authorities to which the paypal cert is compared against for validation.

Automatically accepting/installing all self signed certs is incredibly stupid.
Click to expand...

Why is it stupid?

Please explain to me why I should not trust ssl certificates that are not signed by certificate authorities but are from websites that i trust?

From what i understand, the worse that can happen is that i accepted a certificate that is not signed and has been compromised and allows a MITM attack possibility to decrypt packets.

What are the other risks ?

It seems non nonsensical to prompt me "are you sure you want to accept", I always click accept anyway, seems like a total waste of time to have to click accept every time.
 
Why even bother using SSL then in that case? That's what it's designed for.

Either add trusted self signed certs to your browsers store on an individual basis or use plain HTTP.
 
groen said:
Why is it stupid?

Please explain to me why I should not trust ssl certificates that are not signed by certificate authorities but are from websites that i trust?

From what i understand, the worse that can happen is that i accepted a certificate that is not signed and has been compromised and allows a MITM attack possibility to decrypt packets.

What are the other risks ?

It seems non nonsensical to prompt me "are you sure you want to accept", I always click accept anyway, seems like a total waste of time to have to click accept every time.
Click to expand...

Have you not seen the news recently!
 
Hypothetical for you, Green.

You're browsing around one day when you decide to log in to your online banking and Paypal accounts, unbeknownst to you, there's been an XSS vulnerability found on both of them, and your sign in details are actually going to a server in russia.

Of course, because you don't blindly accept SSL certificates, the self signed cert on the russian site, which has the right domain name (because you can give a self signed certificate can have whatever domain you want) still fires up a warning about the certificate being untrusted.

Wondering why the bank website or paypal website is suddenly saying it's using an untrusted certificate, you don't enter your details.


Of course, you could auto accept them, never see a warning and give the russian mob your bank and paypal details.

XSS (cross-site scripting) vulnerabilities are one of the bigger risks out there, also one of the more common.
 
You must log in or register to reply here.
Back
Top Bottom