On Sat, May 28, 2005 at 10:47:56AM -0700, James A. Donald wrote:
[..]
> With bank web sites, experience has shown that only 0.3% 
> of users are deterred by an invalid certificate, 
> probably because very few users have any idea what a 
> certificate authority is, what it does, or why they 
> should care.  (And if you have seen the experts debating 
> what a certificate authority is and what it certifies, 
> chances are that those few who think they know are 
> wrong)

Moreover, in my experience (as I've mentioned before on this list),
noticing an invalid certificate is absolutely useless if the banks
won't verify via another channel a) that it changed, b) what the new
value is or c) what the old value is.

I've tried. They won't/can't.

> Do we have any comparable experience on SSH logins? 
> Existing SSH uses tend to be geek oriented, and do not 
> secure stuff that is under heavy attack.  Does anyone 
> have any examples of SSH securing something that was 
> valuable to the user, under attack, and then the key 
> changed without warning?  How then did the users react? 

Every time this has happened to someone I know who uses SSH, it's been
immediate cause for alarm, causing a phone call to the person who
administers the box asking "what the? did you reinstall the OS
again?".

-- 
                                - Adam

** I can fix your database problems: http://www.everylastounce.com/mysql.html **

Blog............... [ http://www.aquick.org/blog ]
Links.............. [ http://del.icio.us/fields ]
Photos............. [ http://www.aquick.org/photoblog ]
Experience......... [ http://www.adamfields.com/resume.html ]
Product Reviews: .. [ http://www.buyadam.com/blog ]


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to