In message <[email protected]>, dated Tue, 13 Jan 2009 at 19:24:55,
Robin Zalek <[email protected]> writes
On Tue, 13 Jan 2009 13:53:36 -0000, Chris Salter
<[email protected]> wrote:
The question in all this is, in real world terms, how much
consideration should we give to Opera's 'additional' security
validation? If the site is new to me and Opera says it's insecure
I'm not going to action any transactions in that session. However,
what do you do when the site is one you access daily and only Opera
suddenly reports security issues with that site?
Firefox checks CRLs/OCSP revocation systems, but if they can't be
contacted or return an invalid result Firefox will mark the connection
as OK - I had a site recently whose certificate was pointing to a
malformed CRL and Firefox didn't raise an eyebrow. The basic difference
is that Opera is checking that the certificate hasn't been revoked (and
thus if it can't confirm that errs on the side of caution) whereas
Firefox's approach is to check if the certificate has been revoked,
only returning a failure if they get a definitive yes to that
question; for what it's worth Chrome appears to follow Opera, Safari
and Internet Explorer take Firefox's approach. If the only problem is a
failure to get revocation information (i.e. Opera's security info
dialog still lists encryption methods for a connection) and it's a site
you know then you're /probably/ OK - revocations are rare, and since
it's only become common for all browsers to actually check revocation
status in the last year or two problems with CRLs and OCSPs are more
common. In the end because I knew the site I ended up trusting the
connection that one time.
Regarding your specific problems I have no trouble currently accessing
PayPal. The Barclaycard site failed first time, but worked on a reload.
Both Barclay sites point to the same CRL
[http://crl.verisign.com/Class3InternationalServer.crl] which if your
computer is unable to download in 15 seconds (the timeout Opera offers
for getting CRLs) that would explain your problem there.
Thanks for the above as it a makes it all a little clearer. As I have
reported in another response, I have been unable to replicate the
problem, at elast as far as the Barclaycard site is concerned, on a 2nd
system attached to the same router. The original system still exhibits a
significant response delay which could either be the cause or symptom of
the 'validation failure' and I am in the process of investigating that
I see Opera's approach as the more sensible one, definitely the more
I'm of two minds on that. When Opera states 'the connection is not
secure' and 'the server attempted to apply security measures but failed'
does that mean that in terms of validating the certificate (e.g. the
timeout you describe) the connection is not secure or does it mean the
session is not encrypted? If the latter, the connection is certainly not
secure but if the former, the connection *might* not be secure.