On 24/2/09 02:11, Eddy Nigg wrote:
On 02/24/2009 02:35 AM, Ian G:
The point that is made is that the "positive response" is so weak that
it doesn't support the overall effect; the attacker just prefers to
trick the user using HTTP and some favicons or other simple symbols. And
(so the author claims) gets away with it easily enough, because there is
no "positive response" that is worth much these days.
I agree that the positive / versus negative indicators or not favorable,
specially for regular SSL. We had "fierce" fights on this subject here
and at the bugs...
...however I must correct here some impression which seems to have taken
over the minds because of the way FF3 handles SSL errors, which however
is absolutely not correct.
I remember when we discussed the adoption of EV here, that I pointed out
and could reasonable prove that SSL certs were and are not part of
phishing attacks - meaning that the vast majority of all known phishing
sites never used SSL certs in fist place. Now this was way before the
debut of FF3. Also these days, phishing sites don't use SSL but plain
text and in itself this is hardly news and neither due to the SSL UI and
error pages of FF3 (and despite of what Peter Gutmann has to say
concerning the non-existing CA tax ;-) ).
Right. This can also be seen as evidence that secure browsing has not
protected the users, because it was so easily bypassed.
Security is a balance, not a binary. The point of security is to ...
deliver security to users, not feelgood to cryptographers. If the users
aren't using it, then it isn't delivering security.
If the security is "too hard to use" and therefore delivers less
security, we should be making security easier to use. So that it covers
more users. The first requirement of security is Usability. This time,
every time, and always, because if the user decided not to use it, it's
game over. And this is the danger that the current FF3 beta page may
have tempted.
(Having said that, I think the "negative response" has been
substantially improved by Johnathan and his team. Although I've not
seen it in action myself, it may have brought things back closer to
balance and this conversation would be out of date.)
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
