On 09/18/2011 05:32 AM, Jeffrey Walton wrote:
The one thing I cannot palette: [many] folks in Iran had a preexisting relationship with Google. For an Iranian to read his/her email via Gmail only required two parties - the person who wants to do the reading and the Gmail service. Why was a third party involved?
This is a good question and it's the starting point of some of the proposed solutions being floated (e.g. pinning). I think the answer comes from the realm of ordinary software engineering: state. (no, not "State" like the government, let's not get sidetracked here :-) The entire concept of a "preexisting relationship" adds new state to the client endpoint (the web browser). This might seem like a small thing, but it really isn't. To the extent a solution built on this observation is effective, this state is also security critical. Now that we have security critical state in the user's web browser, it add a lot of complication to the user interface. * A user may change hardware or reinstall the software, so now you need a mechanism to back it up and restore it, perhaps across vendors. Otherwise, the user's security actually regresses when they switch to a brand-new, clean and more secure PC. * The state probably needs to be private since it contains browsing history. * The state may become corrupted either maliciously or by accidentally. This could be as common as cert warnings are today. So now the users need a method to: - wipe out the state entirely "clear the cache and cookies" - delete entries selectively e.g., look through the cookies for the site and all the affiliate sites serving resources in into the page. - bypass the errors manually "continue using the site anyway" My personal view is that there's still probably a useful feature there if these issues can be overcome with some luck and heroically elegant software engineering. But if you're someone who believes that users always thoughtlessly bypass security warnings today, then you might see this feature as another "damn the torpedoes full speed ahead" button that users press when actually under attack. Note that out of over 300,000 IP addresses that made OCSP queries for fraudulent DigiNotar certs, there was only one user who had the presence of mind to ask about it on a help forum: https://www.google.com/support/forum/p/gmail/thread?tid=2da6158b094b225a&hl=en This man deserves a medal and a place in history. Shall we make a Wikipedia page for him? Would the editors understand why he is noteworthy? - Marsh _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
