Hi security team, I am new to this list, so I don't have a full overview on what has been discussed in the past. I have just read through the "Long Term IDN/punycode spoofing strategy concept" thread and found it to include some very interesting ideas.
If I understand things correctly, you want to have the browser maintain a sort of whitelist of domains the user trusts. Whenever the browser encounters a new SSL domain, the user is asked, if she wants to include it in the list of trusted domains. Have I gotten the idea right? If so, I think this idea is quite clever and I have considered similar solutions myself. In fact, I think the browser's padlock icon currently indicates only two things: encryption (of the connection) and authentication (of the connection's other end), but it should actually indicate three things: encryption, authentication and trust (of the user in the connection's other end to sensibly treat sensitive data, whatever sensibly means in this context). This is because I think when any of these three properties is missing, the other two become useless: * without encryption, you are basically talking to everyone, so it does not matter if you know for sure, who is at the other end and if you trust him * without authentication, you do not know who you encrypt for (could be a man in the middle) and you don't know whom you are asked to trust * without trust, there is little need in encryption, because you must assume the other end might make your sensitive data public, and you don't need authentication either, since it does not matter, who is sitting at the other end (not trusting someone is always possible, you don't need identity attestation for this) However, even with the discussed concepts in place, there is still the problem with the homograph attacks, because the user has to recognize a text string to decide on trust in a domain. One possibility is to display punycode, but I think I have found a more general solution to homograph attacks: You give the user a text input field below the string to recognize and recommend that the user types in the string he believes to be reading. The computer can then easily verify, if the displayed and the typed string match and react accordingly. You can find a more thorough description of my thoughts on this here: http://www.amalthea.de/publications/homograph.pdf Michael -- Broad surveillance is a mark of bad security. -Bruce Schneier _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security