Bernie Sumption wrote:
If we create an error display that says "No kidding, this absolutely
is an attack and we're stopping you cold to protect you from it."
it seems unavoidable that users will learn to treat the absence
of such an unbypassable error display as proof to the contrary,
proof that the site is genuine and verified.

Do we want to train them that way?

I don't think that this is an issue. I believe most users likely never
see a MITM attack in their browsing carer - indeed this rarity of real
MITM attacks is the reason why real attacks are interpreted as false
positives, it's just the most likely explanation for a cert error
screen.
I think this has been historically true... even though we know there are holes in DNS, the ability to generally exploit those holes have been difficult. That is no longer the case in the wireless world.

The NSS team has been worried about this kind of attack for a while, which is why we pushed for changes in the UI. In some sense the bug report we saw spoke to a partial success. The UI was annoying enough the user wrote a bug about the problem, allowing the user to find out that they were potentially hacked. With our old UI, the user would have dismissed the warning dialog and proceeded. We know from experience users train themselves to dismiss those dialogs without even seeing them. In that case no bug would have been written up. Where the new UI failed was the user was able to proceed without the sophistication needed to evaluate that she was being attacked.

These attacks are easy to produce, and with a large number of mobile, wireless devices out there (including laptops), potentially profitable. I think if we don't take steps to protect the user, like was done in FF 3, the rate of these attacks will likely increase.

bob

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to