Steven Bellovin <> writes:

>Peter, I'm not sure what you mean by "good enough to satisfy security geeks"
>vs. "good enough for most purposes".  I'm not looking for theoretically good
>enough, for any value of "theory"; my metric -- as a card-carrying security
>geek -- is precisely "good enough for most purposes".

Here's a real-world example of the problem I was referring to, from a
discussion with some browser developers.  We were going over the above issue -
how to use the results of usability studies to improve the browser security UI
- and I asked why, if they were aware of this work, no-one had done anything
with it.  The response was that "if we implement this then attackers will use
XUL to spoof it, and because of that it's not even worth trying".  In other
words because a hypoethetical weakness existed, it wasn't even worth
attempting to improve anything.  Instead of trying to help at least some of
the people some of the time, it was better to leave everyone unprotected all
of the time.

>Given the failure of all previous attempts -- who, amongst the proponents of
>EV certificates, realized that attackers could and would use all-green
>favicon.ico files to fool users -- I think the burden of proof is on the

But the problem with these approaches is that they're pretty much all just
random tweaking of the same thing, aimlessly rearranging the UI elements in
the hope that eventually something will work after (as you point out) the
twenty more or less identical previous attempts have failed.  For example the
Firefox password-entry mechanism (a generic popup dialog with a gibberish
title) hasn't changed in at least ten years (possibly even longer, I can't
remember what the Netscape 2.0 one looked like any more), all that's changed
is that every major release a few new bits of flair get added to the browser
chrome.  The "previous attempts" aren't lots of different approaches, it's the
same failed approach tried over and over and over again, with slight
variations over time in the hope that one of them might work.

What I was advocating was trying new approaches based on ideas from UI
research, not just fiddling with the chrome in the hope that this time it'll
finally start working.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to

Reply via email to