22:28 Ryan_Lane: restarting apache on singer
22:19 Ryan_Lane: pushing new star cert to singer
21:55 RoanKattouw: SSL certificate for secure.wikimedia.org expired about an hour ago, no ops around. I've just texted Ryan
Massive certificate warning. Technical words. Expired 5 minutes ago. And I'm using FF4.
Seems like FF continues to have no consideration for the non-technical audience who will click 'Get me out of there' or close the tab. And just because the certificate expired 5 minutes ago.
> the non-technical audience who will click 'Get me out of there' or close the tab.
This is the right thing to do. You do not attempt to second-guess a certificate expiration for any reason. If you program in a way to ignore a bad security certificate, I can guarantee you that that will immediately be used to defeat the entire system, and that leads directly to grandmothers giving their credit card details to J. Random Phisher.
FF uses scary language etc specifically so that non-techies won't ignore the warning. Make it so that non-techies ignore the warning for Wikipedia and they will ignore it when the connection to their bank is being mitmed.
Why are you blaming Firefox? Why do you not blame Wikipedia for not admining their servers properly?
This is wikipedia, learning stuff so eavesdroppers can't read the connection.
I hardly think a massive "This Connection is Untrusted" for a 5 minute expired certificate on the same level as a warning saying "This certificate is not valid for this website" is appropriate.
For what period after a certificate expires is it safe to rely upon? Why are you trusting your judgement (in your capacity as a browser vendor) over that of the certificate issuer?
I ask again, why do you blame Firefox for warning (however apocalyptically) about an expired certificate, and not Wikipedia for using an expired certificate on a public server?
An analogy would be a Tsunami alert given for massive water coming in. However, the alert will still be the same even for high tides which occur often but doesn't affect more than the beaches, leading residents to ignore it until the big diaster comes.
I believe FF's generic warning is a cry wolf that puts the hidden messages of lapsed security (expires recently) with the lack of security (certificate is not valid). I do understand that there might be users who'll second guess, but if the UAC experience results has said anything, users may eventually assume it's a generic message albeit with technical details and quickly skip over the warnings to get to the website.
Either way, I wish the Internet would default to encrypted rather than unencrypted because generic warnings like this encourage the latter.
