Frank Hecker wrote:
Nelson B wrote:
Ian, You're the anti-phisher guy. I would expect you to want
certs to contain more info to help fight phishing. Just how does
a cert that contains only CN=pay.pal.com help avoid phishing?
Not to speak for Ian, but it permits the basic check that Gerv
recommends:
http://www.gerv.net/security/stay-safe/
Ha! I didn't know about that page... excellent,
it rounds out the Top Tips on Security on my
blog. Added, thanks.
assuming of course that the user can recognize that "pay.pal.com" !=
"paypal.com". And if they can't recognize that, I doubt very much
they're going to be clicking on the lock and checking the information
in the cert.
Right. The only security for the average user is
what is displayed - and this is why the Amir&Ahmad
trustbar displays logos. The average user can get
a very very quick security impression from a logo
of Verisign, and can ally that to a logo of Paypal,
both of which are secured by the browser.
(I'm hoping that in the interim Gervase or someone
will add the name of the CA on to that little status
bar thing.)
Has anyone looked at the new Opera browser? I
saw the press release about their anti-phishing
SSL cert display, but I don't have a copy myself.
So the question is, what is the purpose of the O and OU information in
SSL certs? If the values of these fields are not exposed in the
standard browser interface by default then it seems to me that (unlike
CN) they have minimal or no relevance when it comes to protecting the
security of typical users.
Right. The obvious thing is to display them. But
then we run into 'too much information." So what
are the essentials?
For me, the domain name and the CA (and the root
cert if more than one).
After that, a petname or a logo approach would be
fantastic, because if a user knows the site and needs
more security, she can make a small quick decision
on that basis, and she can use all the info in the cert
for that decision, if it helps.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
