Sulphur Mustard? These were underwater mines designed to explode underwater. No one tries to destroy submarines and ships using mines containing poison gas!

I definitely see this as an User Experience issue on the Brazilian website rather than an actual security or privacy issue.

While commercially speaking they could just get a Verisign cert, I think a better solution could be for browsers to include government CAs - in my experience they actually verify your identity way way more thoroughly than any commercial CA.

Also, since there are varying levels of trust, perhaps browsers should reflect that instead of a red/green metaphor?

However, from a security standpoint whatever security is provided by SSL still stands if one decides to add the 'untrusted' certificate on the first visit.

Why anyone should trust a site certified with one of the cheaper Comodo certs, and not trust a self-generated cert is beyond me. Now one of the things I do is encryption software, so my ideas are a bit different from an average user. But there are a few underlying issues with SSL as it stands, and this is just one ramification.

SSL is supposed to be based on trusting CAs, but today it really is about trusting your browser's judgement about inclusion of root certificates into browsers. When GoDaddy got into the SSL certificate business they acquired a (IIRC) defunct CA just so they were grandfathered into a lot of browsers. ïOn the other hand browsers do not include root certificates of national CAs by default, and Governments don't seem to be in a rush to pay MS or request FF to include or link their certs in browsers.

The commercial CA business is a goldmine that verges on a scam - at least Verisign will ask you to fax over some documents to them, but a few CAs only care for their fees.

Lastly, I'm sorry about the appearance of xenophobia in this discussion; but that is a fundamental psychological and historical raison d'etre for visas and border controls - so there.

It's not that the Brazil government can't afford a Thawte or Verisign certificate - the actual reasoning is that as a sovereign nation they don't trust (and can't depend on) these foreign corporations. The website is (IMHO, correctly and appropriately) certified by the chief Brazilian trusted authority.

If your browser says it doesn't trust the Brazilian Government-issued SSL, that's technically your problem. It works this way in other cases too - as the director of an Indian company I have a certificate issued to me by the Indian government to digitally sign corporate and tax filings online. I store the certs in my browser, but my browser does not recognize the Indian Government's certifying authority by default. I feel the onus is on the browser here.

Also, untrusted !== insecure, as untrusted is a relative term. You trust Comodo, but they will issue a certificate to anyone. You don't trust the Brazilian CA, but the Brazilian government does, more that it trusts Comodo.

The important point is that since the website uses SSL, you are still safe from man-in-the-middle attacks if you choose to trust the site.

Also there is the issue of reciprocity. You don't realize how excruciating and humiliating it is for a foreign person to enter the United States - one has to endure long queues without water (not allowed in building) or phones, subject to fingerprinting (which I feel is more intrusive than sharing biographical identity), fiscal scrutiny and rude consular officers.

But yes, it's your country so your rules apply. I understand that a visa is a privilege, not a right.

Similarly, when you request a Brazilian visa, you play by their rules.

The 15th is Nellie the mini helicopter. It's given as a link in the text to the 15th image.