Gervase Markham wrote:
Yes, in that respect there are some nice advances and tools which help to prevent pishing attacks exist for a while now...Because part of our business is to take people where they want to go, but also keep them away from where they should not be - even if they accidentally asked to go there. We take responsibility for helping our users be safe, so far as we can, because that's a browser's role in 2007.
Right! However the browser provides this primitives for years already! It is absolutely possible to find and provide better protection to users of the web sites in question *without* the user or business having a negative impact. This is true for years and this is a case I could prove! The pishing problem exists already a long time and nothing or not much has been done in that respect by the operators of these web sites themselves! They still use simple user/pass pairs...and still put their own customers on risk! Where is their own responsibility? This is true with and without EV, with and without whatever-colored address bar!It's _their_ business, _their_ profits and _their_ responsibility! Let them find _their_ own solution for _their_ own problem!They can't produce a solution without underlying security primitives in the browser.
I could get more into details here, but I spare you that ;-). But the obvious is, that the very operators of the sites in question have the solution to the problem much closer at hand than anybody else! Whining that the Internet isn't secure or that browsers take the users to where the want to go (even by mistake) is simply too cheap...and a bad argument in favor of EV.
Please note, that that everything I said here is my personal opinion and doesn't have to be necessary that of StartCom!
Digital certification is about encryption and identification on top of it...Identify a web site and its owner! This is what it does, not more and not less, even if you would paint the address bar dark blue or pink or purple, it's still the same....The solution to pishing is somewhere else, since it must prevent the user from making mistakes - something which must be solved by the affected parties! Judging from the pishing mails I receive, we are talking about a handful of web sites after all...Still, I'm not sure what you are arguing. Should we rip out SSL support altogether? After all, that would leave the field free for them to find their own solution to their own problem...
to justify the selling of over-priced digital certificationIf they are over-priced, then that's a business opportunity for you.
You must have some insider information, do you ;-) -- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
