I was thinking through possible attack scenarios against this proposed UI and came up with a dangerous one:
You are filling out a form in a page served by a site certified by Verisign. You hit the submit button. Your HTTPS connection has timed out, so the browser initiates a new HTTPS connection. This time, the phisher intercepts the connection attempt and responds with a self-signed certificate. The browser does not warn, but the lock icons disappear. It is unfortunately too late though, the form POST has already been sent. The check on the site's cryptographic identity really has to happen at connection time, before any data is sent. If the provided cryptographic identity cannot be immediately correlated to the pending request, a warning really must be issued. Getting rid of the modal warning dialog presented for an https:// connection with an unknown CA will be rather tricky. Perhaps https:// is just too closely bound to the public CA model. Even if this turns out to be the case, extensions like the petname tool and the trustbar are still useful for detecting phishing. They might not help with CA-list expansion though. A new URL scheme, like httpsy://, might be required for that task. Tyler On 4/21/05, Tyler Close <[EMAIL PROTECTED]> wrote: > Hi Kyle, > > Welcome to the list. > > On 4/21/05, Kyle Hamilton <[EMAIL PROTECTED]> wrote: > > [Note: I joined the list very late in the game, and didn't see the > > original message. This is my reaction to seeing it now, and my > > thoughts on the concepts involved -- please feel free to bring me > > in-line with the actual objectives.] > > Unfortunately, you have mistaken the actual request. > > Currently, when you visit an SSL web site that presents a certificate > signed by an unknown CA, Firefox presents a modal dialog box, alerting > you to a possible attack. If you accept the certificate for the > current session, Firefox displays the site as a normal SSL site, with > the lock icon and domain name in the status bar, and a lock icon and > yellow background in the location bar. > > I would like this UI changed so that no alert is presented, but > neither are the lock icons, nor the domain name, nor the yellow > background. Essentially, the UI would look just like it does when you > visit an HTTP site, instead of an HTTPS site. The UI would not claim > that the page is in any way certified, but also wouldn't flag it as a > possible attack. > > With this neutral UI, we can then extend Firefox with new > accreditation mechanisms, such as the petname tool. See: > > http://petname.mozdev.org/ > > Tyler > > -- > The web-calculus is the union of REST and capability-based security: > http://www.waterken.com/dev/Web/ > _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
