Nelson B Bolyard wrote:
> In bug the reporter
> complained about how difficult it is to override bad cert errors in FF3.
> She complained because she was getting bad cert errors on EVERY https
> site she visited.  ALL the https sites she visited were apparently
> presenting self-signed certs.  The example for which she provided evidence
> was  By the time she filed the bug, she had already
> overridden the bad cert errors for all the major https sites that she
> visited with any frequency, including facebook, myspace, hotmail, her
> college's network servers, and more.  In hacker speak, she was *owned*.
> (Please discuss this here, not in that bug.)
> Despite all the additional obstacles that FF3 put in her way, and all
> the warnings about "legitimate sites will never ask you to do this",
> she persisted in overriding every error, and thus giving away most of
> her valuable passwords to her attacker.

Yep, no surprise.  FF3 tries too hard, way too hard, imho.

> None of this had triggered any suspicion in the victim.  She was merely
> upset that the browser made it so difficult for her to get to the sites
> she wanted to visit.  She was complaining about the browser.
> FF3 had utterly failed to convey to her any understanding that she was
> under attack.

I would say it slightly differently:  it was clear that in her mind,
the problem was the browser, not anything else.  This is because for
the last 14 years, and for the last 99.999% of times this has
happened, it is the browser that is stopping her (and everyone like
her) getting to the place she wanted to go.

> The mere fact that the browser provided a way to override
> the error was enough to convince her that the errors were not serious.

History provided her the confidence that the errors were browser
problems, not anything else.

Overrides didn't effect that situation.  OTOH if you had removed the
overrides she would have switched browser.  Also note, she is pretty
savvy, she compiles her own stuff it seems.

> I submit that the user received no real protection whatsoever from FF3 in
> this case.

I agree.

> KCM would not have helped.

I agree, KCM would not have helped.  In both cases, the warnings are
delivered, and the user is given the responsibility for the overrides.

> If anything, it would have reduced the pain
> of overriding those errors to the point where the victim would never have
> cried for help, and never would have learned of the attack to which she
> was a victim.

Not sure about that, but it's probably moot :)

> The question is: how can FF3+ *effectively* protect users like her from
> MITM attackers better than FF3 has already done?

It cannot.  Note the above assumption that she made:

  "there is no MITM, there cannot be an attack,
  this stupid UI is something made up by crazy
  people to annoy me."

And, to a very high confidence level, she had a good assumption.  I
think there is a Bayesian logic that explains this fallacy
somewhere, to do with what happens when the false negatives rate is
too high.

The only way any tool can protect her is if the assumption itself --
that the tool is broken -- is challenged.  She needs to learn that
there are MITMs.  (Which she has now learnt.  And, now, she will
work with the UIs ...)

Now, the broader question is about the wider public, and the wider
MITMs.  Will MITMs now become a regular enough topic to be a
suitable learning experience?  Will the wider public get a wider
lesson?  Only time will tell, and more data;  one data point doesn't
do more than tease us.  Until that time, FF3's security UI is a
skyscraper built on sand.

This is the pathological problem with MITM protection that has
existed from day 1 of SSL:  it was a solution in advance of a
problem.  Given that the solution was theoretical, and the problem
had no practical existence (until recently), the solution could
never be trialled against a real attacker.  Add in some complexity,
hello brittleness, meet shatter!

Which is to say, everything that has been done until now may have to
be re-thought ... as it moves from theoretical to practical ...
because now we face a real attacker.  Assuming her attacker becomes
common, only now can we find the right balance between overrides,
convenience and protections, and losses.

(Yes, we will face losses.  Real security is about losses.)

> Is removal of the ability to override bad certs the ONLY effective
> protection for such users?

No:  in this case, removal of the overrides will (I speculate)
convince her to switch browser.

Yes:  but only if you redesign the web to follow the principles of
security architecture  ;)

> The evolution of that UI is under discussion in bug

Nice case study!  What would be wonderful is if you could ask her to
go out and publicise her trauma.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

dev-tech-crypto mailing list

Reply via email to