Steffen Schulz wrote:
> On 081018 at 20:30, Nelson B Bolyard wrote:
>> FF3 had utterly failed to convey to her any understanding that she was
>> under attack.  The mere fact that the browser provided a way to override
>> the error was enough to convince her that the errors were not serious.
> I find it amazing that someone shows this level of ignorance but then
> manages to file a bugreport... :-)

And ... reformat drive, play with compilers, flags, build own
browser, switch between versions, bum off others' wireless, maintain
a login at bugzilla, make a near-perfect bug report ...

This is not your average end-user.  I'll bet you a dime to a dollar
she knew precisely what the certificates are for.  The general
excuse of "users are stupid" isn't going to work this time :)

>> The question is: how can FF3+ *effectively* protect users like her from
>> MITM attackers better than FF3 has already done?
> Personally, I like the idea of a 'safe mode' in the browser. Safe-mode
> is very visible, provides limited scripting and https-only to a defined
> set of sites. If mom wants to go banking, she's been told she has to
> activate safe-mode. Otherwise banking is insecure.

I have thought about that too, and I don't think it is going to work
for the general users.  Originally I thought it would, but I think
we have crossed that Rubicon already.

I run NoScript which cuts away about 95% of the crap on most sites,
and actually makes FF run nicely, because it isn't struggling under
all that javascript crap.  (It is worth it for that alone.)

However, it breaks a lot of ecommerce sites that use credit cards.
Three times now I've found that certain (big) ecommerce sites that
use credit cards totally break in the actual payment phase.  I have
to close the browser, restart, retype in the transaction from
scratch, and use the nuclear button on NoScript:

   Allow scripts *Globally* (Dangerous!)

before the transaction goes live.  Then it goes through.

I don't know what these sites are doing, but this is far too
regular.  And, NoScript is as good as it gets atm (so I am told,
opinions welcome).

> It is some action that the user initiates, she tells the program when
> some critical operation starts and ends. If she has to exit safe-mode
> to go to a bank then that is a very obvious decision to test her luck.

This unfortunately will be the case, and too many times.  I have to
permit all scripting for my online bank.  What is the combined sum
of these messages:

   Bank uses scripting,
   NoScript turns off scripting because it is dangerous,
   User has to turn off NoScript ?

We have a mess.  Users have a right to be confused if this is forced
on them...

>> Is removal of the ability to override bad certs the ONLY effective
>> protection for such users?
> No. Vista/IE7 seems to ship with various scripting deactivated by
> default. So what happens? The page worked before, now it doesn't.
> Thats clearly a problem of the stupid new computer. So we ask the
> neighbour's kid to solve this and everything 'works'...

Right.  That's reality.

> I do though would like some sane alternative for people who are aware
> of the certificate stuff. The possibility to chose Yes/No/Ignore with
> one click and to optionally display certiciate details plus KCM info
> instead of a verbose warning.

I would definately like to see the KCM deployed.  Both of KCM and
the CA-pki model work well enough when nothing is happening;  now
stuff is happening, and we need more.  Use every tool we can,
hopefully they can work together.

Other than that, I would like to figure out a nice story that says
"use Firefox for all your general browsing ... but use XXXX for your
online bank".  I just don't know what XXXX is.

I liked the google Chrome approach of separate VMs for each
tab/page.  There are definate limits to how we can expect a general
user app like Firefox to firewall itself with "quality code" without
general overflow protection ... putting hard boundaries around the
virtual site within the browser is a very good idea, I think.

Some people maintain separate Firefox installs.  I've tried using
"fast user switching" in MacOSX.  But these are too hard to expect
ordinary users to follow them.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

dev-tech-crypto mailing list

Reply via email to