I see! Tough one. Question of clarification - are you saying that the status bar always displays the target host name rarther than the domain field out of the cert? That would mean that the status bar is simply another confirmation of the original host.
Yes, that is correct.
This does mean that users don't have to do mental URL parsing to work out what the host is (avoiding [EMAIL PROTECTED], paypal.com.54535435443454345.mysite.com, and other such URL bar spoof attempts).
Or it only displays the hostname from the URL when there is no easy and positive match?
That would be a useful enhancement.
Either way, this opens the way to click-thru-phishing.
After the click-thru has been tricked from the user ("win
a free cruise if you try out our new certificate and get to
the magic cookie") then the security UI goes on to
confirm the domain of phisher's choice.
Could you explain in more detail how this would work?
Which means any interpolation - any advice that is presented to the user - can be used against her / her security. If the status bar shows a domain name that came from somewhere else then that can be spoofed (in theory).
Can you imagine a scenario where (without the user having clicked through any dialogs) that indicator would be wrong? If so, file a bug, as the URL bar is similarly broken.
Above you introduce a problem with this principle: certificates may have various mappings and manglings.
So the question arises - principle or convenience?
It's not that simple. You have to demonstrate an attack which causes the UI to be wrong - and clicking through a "Whoa! There's something wrong with your SSL connection!" dialog does not count. If the user ignores such dialogs, they have no hope.
If one were to stick to the principle then one would have to _interpret_ the mapping. For example, in the above case, if you saw two subdomains then you could display:
<grey>mecha|<grey>rheet.mozilla.org
when you matched the URL to rheet.mozilla.org, and:
<grey>rheet|<grey>mecha.mozilla.org
if you matched the other domain.
Ick. It would be far better if we resolved the pipe ourselves and just displayed the correct value - i.e. the one which the checking code used when it made sure that the cert really was for the domain we are on.
That's not technically impossible - we just didn't have time to implement it before Firefox 1.0.
with no shading. And the user might not quite see what they hell that means, but this is the security UI and that line is what you know, and if the user can't work it out maybe that's because there is a problem.
If only users thought this way, they might be more secure. But there's no way something like this can be part of a simple consumer message.
Currently the message is "check that the indicator matches the site you think you are on". It shouldn't need to be more complicated than that.
For wildcards like *.mozilla.org, I'd be inclined to do something like one of these alternates:
* is easy - you just display the root. So *.mozilla.org would display "mozilla.org".
Are there any other options other than * and |? Which standard covers such things?
Gerv _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
