At 10:09 PM 6/4/2003, James A. Donald wrote:
Eric Rescorla
> Nonsense. One can simply cache the certificate, exactly as
> one does with SSH. In fact, Mozilla at least does exactly
> this if you tell it to. The reason that this is uncommon is
> because the environments where HTTPS is used are generally
> spontaneous and therefore certificate caching is less useful.

Certificate caching is not the problem that needs solving.  The
problem is all this spam attempting to fool people into logging
in to fake BofA websites and fake e-gold websites, to steal
their passwords or credit card numbers

I don't think this problem is easier to solve (or at least I sure don't know how to solve it). It seems to me that you could tell a user every time they go to a new site that it's a new site, and hope that users would recognize that shouldn't be "new", since they've been there before. However, people go to a large enough number of sites that they'd be seeing the "new" alert all the time, which leads me to believe that it wouldn't be taken seriously.

Fundamentally, making sure that people's perception of the identity of a web site matches the true identity of the web site has a technical component that is, at most, a small fraction of the problem and solution. Most of it is the social question of what it means for the identity to match and the UI problem of determining the user's intent (hard one, that), and/or allowing the user to easily and reliably match their intent against the "reality" of the true "identity".

Any problem that has as a component the fact that the glyphs for "lower-case L" and "one" look pretty similar isn't going to be easy to solve technologically.

- Tim

Reply via email to