Gervase,
I just read your page, great stuff. Now, are comments
solicited for this group, a bugzilla page, or in private?
Gervase Markham wrote:
Ian G wrote:
Good, I'm glad you understand what is meant by
branding. By forcing VeriSign to brand themselves
like Virgin, they are laid bare to their trusting public.
Who knows, maybe they will surprise us all.
You expect Verisign to start taking out brand-building ads based on a
change we make to Firefox?
No, but I suppose it is an option. I'm not
interested that much in how VeriSign
respond in the market place, except
where it effects security.
And if they do, do you expect any negative publicity they may get to
trump the positive publicity from those ads, such that users have an
overall negative assessment of the company?
There will be a reckoning. I would imagine
that it would be quite a tricky campaign, but
for reasons beyond today's post, they want to
do it too.
Either way, right now, Mozilla is hiding the fact that
Verisign is being used to create relationships that
are falsely presented as trust. In fact, Firefox lies
about it by saying that the user trusts this cert and/or
provider.
The user trusts us (implicitly by downloading the software and running
it), and we trust the provider.
Trust is a very difficult word. If you were to
ask the user whether they trusted VeriSign
(as did that recent survey) then I don't think
the answers would be all that positive.
Even if you explained the above logic to the user,
and *then* asked the question, I suspect the
user will still say "no."
Do you really think users have the brain space to remember and
understand 20 different CA brands, and make judgements based on that
understanding?
Do you really think MF should purport to make the
decision that the user should trust 20 different CAs
without a choice?
Absolutely. Because of all the people who could make that decision, we
are the most qualified.
! See below.
You've really bought the Nike vision, haven't you? The brand is
all-important. :-)
LOL... I wouldn't be seen dead in a pair of Nikes ;)
No, I happen to have studied both marketing *and*
technology. I understand their relative importance,
and am capable of identifying the security within
branding. (As well as the insecurity within other
systems purporting to be secure, but are not
integrated with the users of those systems.)
Quick, how many beer brands do you
know and recognised?
Are you suggesting that CAs will be taking out television adverts like
beer brands?
( I'll answer that one in private if you like ;)
They aren't _selling_ anything to the general public.
Somebody's selling trust to the general public.
I suggest that MF figures out just who is selling
trust to the general public ... before the courts
do it for you. You identify above that MF is
asserting that it is the decider of trust. This
makes it the seller of trust (for no money, but
still...).
Personally, that's the last place in the world where
I would rather be, given that phishing is a billion
dollar per annum year loss.
(The first phishing case against a non-attacker
has been launched, just this last week. Just so
you know this isn't FUD, which I know y'all think
I'm good at.
http://www.financialcryptography.com/mt/archives/000337.html
It's for real, it started last week. In the legal
community, everyone is looking at that and
thinking to themselves ... Hmmm.... Fees.... )
And this is a security question, right? Tell me why
it is that you trust Saunalahden? You do trust them,
that's what Firefox has decided. Now, why is that?
Because mozilla.org trusts them, because they've met the criteria
necessary for inclusion.
OK. Try it on some users. You do recognise that
this is an "educated answer" that has been part
of the "PKI" model for a decade, and the users
may not have actually subscribed to the notion?
(Yes, we should be running the criteria over legacy CAs.)
And we are not in a million years going to persuade users, if
they've found a product they like, to leave that shop and find it
somewhere else just because the CA has a slightly tarnished reputation.
Oh, then that's fine. No problem. The consumer has
a choice. She sees that Verisign protects Paypal. She
stays. That's at least a correct trust calculation by the
interested parties,
No, it's not. It's an "I want to use Paypal" calculation.
The only way displaying the CA brand will ever have an effect is if
users know enough about CAs and are wary enough of particular ones
that they refuse to shop with shops protected by them. This is just
not going to happen. Ever.
I'm not sure what you are saying here. If it is "branding
doesn't work" then check the Nikes. If it is that "branding
doesn't work for security" then check Volvo. If it is that
branding will never work for security and for software,
then check out what's happening to Microsoft. In short,
their brand is currently being trashed on security.
Putting logos in the UI won't even come close to generating the amount
of awareness among the general user population that you'd need.
It will, the day VeriSign issues a cert to Paypall.com ...
It will, the day Alice gets phished and there wasn't a
Comodo icon on the page then...
It will, when USERTrust issues another Paypall.com
and a thousand users start demanding that something
be done because they say the CA change and they
want to know what's going on.
Consider this: Shmoo wasn't anything we didn't
already know. Yet it caused a firestorm. Why?
Because information only spreads about security
when someone gets hurt. Or where there is the
fear of someone getting hurt.
So, allied to all that we are seeing and saying, we
can expect nothing to change ... except when people
get hurt.
And, when it comes down to it, users just don't care enough to take
the time to acquire that level of knowledge. IE doesn't make them
learn all this stuff and make all these trust estimates. Microsoft
just says "Don't worry, we've taken care of it." We should be able to
say the same.
Look where Microsoft is right now... Their user
base is shifting under them, and because there
are no good stats and the media doesn't report
on this, we do not know how much user share
they are losing.
Why? Because of Branding and lousy security.
Why are users shifting to Firefox? Because of
good security *and* a good brand. What tips the
balance between Konqueror and Firefox? Brand
is a big part of it...
Did you buy the Firefox vision?
Brand is integral to Mozilla. All I'm suggesting
is you dish some of that medicine to VeriSign.
And Comodo, and Entrust and the rest. Yeah,
CACert had better pull up their socks too ;)
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
