Steven Bellovin wrote:
Several other people made similar suggestions. They all boil down to the same thing, IMO -- assume that the user will recognize something distinctive or know to do something special for special sites like banks.

Not if he only does it for special sites like banks, but if "something special" is pretty widely used, he will notice when things are different.

Peter, I'm not sure what you mean by "good enough to satisfy security geeks" vs. "good enough for most purposes". I'm not looking for theoretically good enough, for any value of "theory"; my metric -- as a card-carrying security geek -- is precisely "good enough for most purposes". A review of user studies of many different distinctive markers, from yellow URL bars to green partial-URL bars to special pictures to you-name-it shows that users either never notice the *absence* of the distinctive feature

I never thought that funny colored url bars for banks would help, and ridiculed that suggestion when it was first made, and said it was merely an effort to get more money for CAs, and not a serious security proposal

The fact that obviously stupid and ineffectual methods have failed is not evidence that better methods would also fail.

Seems to me that you are making the argument "We have tried everything that might increase CA revenues, and none of it has improved user security, so obviously user security cannot be improved."

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to

Reply via email to