Ian G:
Nelson B Bolyard wrote:

Despite all the additional obstacles that FF3 put in her way, and all
the warnings about "legitimate sites will never ask you to do this",
she persisted in overriding every error, and thus giving away most of
her valuable passwords to her attacker.

Yep, no surprise.  FF3 tries too hard, way too hard, imho.

Quite the opposite...just imagine Firefox wouldn't have made it that hard and annoying, she wouldn't have filed a bug report and we wouldn't know.

I would say it slightly differently:  it was clear that in her mind,
the problem was the browser, not anything else.  This is because...

...she never saw how Firefox behaves with really secured web sites.

the last 14 years, and for the last 99.999% of times this has
happened, it is the browser that is stopping her (and everyone like
her) getting to the place she wanted to go.

If that were true, we wouldn't have the problems today! But it's not true and the browser must convince the user that something is wrong. Otherwise not let to connect at all!

The mere fact that the browser provided a way to override
the error was enough to convince her that the errors were not serious.

Nelson: Yes

History provided her the confidence that the errors were browser
problems, not anything else.  https://paypal.com/

Paypal uses an EV certificate and wild cards are not allowed. However Paypal could fix this by adding paypal.com to the SAN. It's their shortcoming, not that of the browser.

I submit that the user received no real protection whatsoever from FF3 in
this case.

Nelson: Only either because she was playing around with her own build and/or she never saw it functioning without being MITM'd.

If anything, it would have reduced the pain
of overriding those errors to the point where the victim would never have
cried for help, and never would have learned of the attack to which she
was a victim.

Nelson: Correct!

Not sure about that, but it's probably moot :)

Not moot at all...

The question is: how can FF3+ *effectively* protect users like her from
MITM attackers better than FF3 has already done?

Allow connecting to such sites only after modifying about:config

It cannot.  Note the above assumption that she made:

  "there is no MITM, there cannot be an attack,
  this stupid UI is something made up by crazy
  people to annoy me."

Where exactly did she say that? This is YOUR assumption, not hers.

Is removal of the ability to override bad certs the ONLY effective
protection for such users?

Nelson: Yes, require editing of about:config

Nice case study!  What would be wonderful is if you could ask her to
go out and publicise her trauma.

I did that for here: http://www.linuxtoday.com/news_story.php3?ltsn=2008-10-18-012-35-OS-CY-NT


Signer: Eddy Nigg, StartCom Ltd.
Blog:   https://blog.startcom.org
dev-tech-crypto mailing list

Reply via email to