Nelson B wrote:
Ian G wrote:
Good, I'm glad you understand what is meant by
branding. By forcing VeriSign to brand themselves
like Virgin, they are laid bare to their trusting public.
Who knows, maybe they will surprise us all.
By now you've read that this branding idea was actually implemented,
at least partially, for a limited set of CAs, in the old
Netscape 4.x browsers. The Netscape security managers wanted
the users to know that it was the CA, and not Netscape, that
was vouching for the authenticity of the site. It didn't go
very far due to a tight screen real-estate market.
OK, thanks for the confirmation. I wonder
if those discussions are anywhere around?
Either way, right now, Mozilla is hiding the fact that
Verisign is being used to create relationships that
are falsely presented as trust. In fact, Firefox lies
about it by saying that the user trusts this cert and/or
provider.
When you run a program, you are trusting it. You may have no idea
what's in it, or what it does, but when you turn it loose on your
computer, you surely are trusting it. It may be trustworthy,
or it may abuse your trust, but you're trusting it.
Mozilla lets you decide to stop trusting parts of it (e.g. certs
that were marked trusted by default). When you turn off the trust
flags on some certs, you're trusting mozilla to honor your settings.
I think the most accurate statemtent you could make in response to
a mozilla dialog about you trusting a cert is "oh, I didn't *know*
I was trusting *that* cert". But until you change it, you are
trusting it. It's part of the software that you trusted on your
computer.
I understand the rationale. My point is that
this is what "you/we the developer community"
says. The hop,skip and jump from "I trust the
program" to "I trust the root list" and then to
"I trust that CA" and finally landing on "I trust
that site" is not an easy one.
Whether the user accepts the leap is a completely
open question. One may say that it's been ten
years, so we can assume they do. I would say,
no, the question never got tested (indeed, the
A&A paper tests it and there is no support there.)
Now it has been tested - phishing. The users
will reject anything that allows them to be
phished. And, likely, the law and the courts
will go with the users on this one (I can't explain
why I think that in less than the length of a
legal brief ... Be warned, I have an LLB from
Grisham ;-)
I'd say that the logic is a bit of an Achilles Heel
(for all browser manufacturers). Think what a
lawer would do if he was running against this
logic ... especially if he had the Netscape Security
viewpoint to guide him?
What I'm suggesting is that the truth be revealed to
the users: Verisign is the one who made the relationship,
and that should be on the chrome.
Lots of former Netscape security people agree with you, I think,
including your's truly. Maybe you can succeed in fighting the
chrome real-estate battles. In my view, the people who are the
controllers of the chrome real-estate have historically not viewed
the security info as worth the space. Maybe now they'll change
their view, but it won't be easy. And few of them participate here.
Thanks for that! Things have now changed,
the UI argument I believe to have been quite
valid back in those days, because there was
no attack. These days, we have attacks.
So where do the "controllers of the chrome
real-estate" hang out?
And while we are on that subject, who or what
is the security team / security director for
Mozilla? Would would coordinate a security
bug of this broad a nature?
...
[great story snipped]
I thought this actually made a pretty good case for removing alltogether
the abililty to override security errors.
I think that would be a big mistake. You see,
that guy needed to learn. He was going to
do damage to himself, and no amount of
security would have protected him. Even
if you removed all the security stuff, he still
would have (and did, right?) loaded up the
other browser and happily shot himself in
the foot.
So whatever happens, your fix for tightening
up security is not going to save him, in all
probability. That means it will do no good!
But, as tight security *always* causes costs,
that change would have created costs that
everyone else would have to have borne. For
there on after...
So tightening up security because of one dumb
ass results in lots of damage to Mozilla users
and no good whatsoever. Not a good thing...
I think that if the browser is going to continue to let the user
override security errors, then when the user does so, it should tell
the user in no uncertain terms that the user has overridden security,
and that the user will have NO security thereafter, and should turn
off the lock to make the point.
The reason it doesn't do these things is
because whenever these things get coded
in, people start switching to other tools.
Those sort of checks are just too much and
too costly.
Users need to learn. They need to hurt
themselves, it's part of growing up. A
world in which a child cannot scrape their
knee in the playground is a world in which
adults have poor abilities to deal with risk
and reward.
Right now, the reason VeriSign doesn't care is because
the users don't know who they are. Once users know
who Verisign is, I think they'll have a chance to show
how much they want to care about security ;-)
Hmmm. I think Bob already explained this, but ... it was Verisign
who led the way requesting branding logos in Communicator 4.x.
Right. Here's how they get to double their
revenues, it's no surprise that they want this
as well: http://iang.org/ssl/VeriCola.html
So literally, I don't waste much time pushing
this issue. I know they want it, security wants
it and users want something to stop being
phished. Everyone wants this, the question
is how to get it????
Really, stop all the Verisign bashing. It doesn't enhance your
credibility. Especially when history contradicts your hypothesis.
LOL... my credibility has already been sacrificed!
If VeriSign can help with security and especially
phishing then that's reason to care, but they,
like I, are apparently stymied by the real estate
issue.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
