Ian G wrote:
Good, I'm glad you understand what is meant by branding. By forcing VeriSign to brand themselves like Virgin, they are laid bare to their trusting public. Who knows, maybe they will surprise us all.
By now you've read that this branding idea was actually implemented, at least partially, for a limited set of CAs, in the old Netscape 4.x browsers. The Netscape security managers wanted the users to know that it was the CA, and not Netscape, that was vouching for the authenticity of the site. It didn't go very far due to a tight screen real-estate market.
Either way, right now, Mozilla is hiding the fact that Verisign is being used to create relationships that are falsely presented as trust. In fact, Firefox lies about it by saying that the user trusts this cert and/or provider.
When you run a program, you are trusting it. You may have no idea what's in it, or what it does, but when you turn it loose on your computer, you surely are trusting it. It may be trustworthy, or it may abuse your trust, but you're trusting it.
Mozilla lets you decide to stop trusting parts of it (e.g. certs that were marked trusted by default). When you turn off the trust flags on some certs, you're trusting mozilla to honor your settings.
I think the most accurate statemtent you could make in response to a mozilla dialog about you trusting a cert is "oh, I didn't *know* I was trusting *that* cert". But until you change it, you are trusting it. It's part of the software that you trusted on your computer.
What I'm suggesting is that the truth be revealed to
the users: Verisign is the one who made the relationship,
and that should be on the chrome.
Lots of former Netscape security people agree with you, I think, including your's truly. Maybe you can succeed in fighting the chrome real-estate battles. In my view, the people who are the controllers of the chrome real-estate have historically not viewed the security info as worth the space. Maybe now they'll change their view, but it won't be easy. And few of them participate here.
Also, even if they do, they have no choice. A particular shop is only protected by a cert from one company. It's trust that company, or shop somewhere else. Those are the only options.
No they're not. (well, maybe in FF, which I don't use.) In seamonkey 1.x, when I visit a web site with a cert from an unknown or untrusted issuer, I get a big dialog that gives me the choice of trusting that specific server's cert, even though the issuer is (and remains) untrusted. Now, *I* generally choose not to override this. But users have this choice.
And we are not in a million years going to persuade users, if they've found a product they like, to leave that shop and find it somewhere else just because the CA has a slightly tarnished reputation.
Or even if the CA has no reputation at all, and is invalid. I remember back in early 2000 reading a LONG blue rant from a user who had found a web site that offered absurdly low prices on something he wanted. When he went to "check out", his browser alerted him to many problems with the cert: name didn't match, invalid signature, unknown issuer, and some other things I don't now recall. All of these things should have been setting off alarm bells in his head, but he was determined to get those low prices. His browser let him override all of those issues, except one. He was FURIOUS! How dare the browser get in the way of his shopping happiness! But he showed us! He went and fired up another browser and got past all the warnings (just one from that other browser) and entered his credit card info! I never heard from him again. I'd bet that he ended up reporting his credit card "lost or stolen" some time later when he discovered that his card number had somehow gotten into the hands of the bad guys. I'll bet he never got the merchandise that he ordered, either.
I thought this actually made a pretty good case for removing alltogether the abililty to override security errors.
I think that if the browser is going to continue to let the user override security errors, then when the user does so, it should tell the user in no uncertain terms that the user has overridden security, and that the user will have NO security thereafter, and should turn off the lock to make the point.
Right now, the reason VeriSign doesn't care is because the users don't know who they are. Once users know who Verisign is, I think they'll have a chance to show how much they want to care about security ;-)
Hmmm. I think Bob already explained this, but ... it was Verisign who led the way requesting branding logos in Communicator 4.x.
Really, stop all the Verisign bashing. It doesn't enhance your credibility. Especially when history contradicts your hypothesis.
-- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
