Tyler Close wrote: > So where are we? Do you agree about giving up on the brain-in-a-vat > scenario? If not, do you think you have a solution? Outside the > brain-in-a-vat scenario, do you see the value of petnames and > fingerprints, or is more discussion needed?
My comments relate specifically to the idea that changing the lock or other mechanisms will actually prove anything beyond lowest common denominator attacks, while coming off as protecting the user more, when in fact it just instils a greater sense of false security in some respects... Already people are completely misinformed as to what is being protected against and I can only see this leading to more confusion... At the end of the day it's not clear what's being made "secure", in reality the only thing being focused on is preventing phishing attacks and claims made this will make browsing "more secure" but it will only make one minor aspect better... As I keep saying, "If I were a chinese dissident I sure as hell wouldn't be protecting myself with SSL, I only trust it as far as my credit card numbers go", which is a real shame since the code is so widely deployed and easy to use in apps... I see the phising problem the same as the spam problem (while in one respect they're the same thing). If you start building nuclear warheads they start building more of them and quicker, and so the arms race begins. Then you start getting to innocent bystanders annoyed because you've screwed up their browsing experience in unforeseen ways and end up loosing market share. What needs to happen is sooner then later is what AOL did with ICQ, a power user version and a lite version and an easy way to switch between the two, rather then a one size fits all... Unless the switching interface is implemented before the joe schmuck interface you will be skiing up hill and ticking off the power users in the process... If you wonder why mozilla products are used more widely try distributing a custom root cert across an enterprise, MANY MANY enterprises and universities run their own CA, and this is a big show stopper... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
