Comment by seryoiupfurds
11 years ago
If the user typed www.mybank.com, let the server redirect to https but don't show the lock icon if it's self-signed. This is no worse than an impostor that just doesn't redirect to https.
If the user typed https://www.mybank.com, show the usual warning for self-signed certificates.
How many people are careful to type "https" every time they visit a website? How many people pay close attention to the lock icon/color of the URL bar? This advice seems to ignore the existence of sslstrip [0] and related attacks, and the numerous countermeasures that have been designed to deal with this problem (e.g. HSTS).
[0] http://www.thoughtcrime.org/software/sslstrip/
This is EXACTLY what I want for my intranet sites. It lets me protect my users from the wireshark in the next cubicle.
The solution for this is to run your own CA internally and push out the cert to all the machines. (if you have byod stuff it makes it a little harder but you could still have an internal ca signing only a certain subdomain and get people ot install it)
But that don't protect you from a malicious user hijacking this domain in the next cubicle. Perhaps, if your switches are not properly configured , that the guy in the next cubicle ou do some arp spoofing and https://intranet.yourdomain would be served by a bogus server collecting passwords.
But your users won't notice the difference, because they are used to see the certificate warning on his browser.