It won't be fooled, it will correctly record the SSL identity of the
spoof site. When you later connect using DNS information that is not
poisoned,
How do you know that will ever happen?
If I can introduce a new URL scheme, such as httpsy, I think I can improve upon this solution. Is it possible to add a new protocol to Firefox using an extension?
I don't know, I'm afraid.
With the petname tool by itself, I am not trying to replace the trust model. I'm only trying to make the existing model work better, by protecting against phishing attacks.
I see. Others appear to be pushing it as a replacement for trusting CAs.
I personally don't agree that your solution is workable, and for a change of that magnitude, I'm not the person you'd need to convince.
Could you be more specific? Is the petname tool by itself a change of
magnitude?
A new tool_bar_ certainly would be.
Do you think the petname tool is not a workable
anti-phishing mechanism? If so, could you explain why?
My issues with the petname idea, as currently implemented, are documented elsewhere. See http://www.gerv.net/security/ - in one of the relevant documents.
It's possible that a version of petnames which was closely integrated with the bookmark shortcut mechanism might work. I'd need to think about it more.
Who do I need to convince that adding the petname tool to Firefox is a good idea? In what forum do I make my case?
You'd need to convince Ben Goodger, the UI czar.
I don't know a lot about the bad guys, but as a potential victim, it looks to me like the bad guys have not really tried to acquire SSL certificates under false credentials. It looks like they've found easier ways to subvert the current "secure" web browsing UI. The recent white papers indicate that once the bad guys do try to acquire SSL certificates with false credentials, they will have an easy time of it. We should be working ahead of the bad guys, not waiting to play catch-up.
We are. I hope and plan that acquiring SSL certs (that users are told are safe for e-commerce) under false credentials should get harder over time.
Gerv _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
