> Ian Grigg wrote: >> (Just briefly, the Certificate Authority needs to be shown. > > How exactly does this help the average user, who has no idea who > "Verisign" are, and whether they should be trusted any more than > "VirtuaRoot" (a name I just invented)?
Good question. The answer: Branding. VeriSign and other CAs would need to establish their brand with the public. Verisign would need to act like Intel or Coke or Ford and establish a brand that speaks of trust. The problem is foistered on us somewhat by the PKI design. At the moment, any cert signed by any CA is assumed to be good by the software, but it's pretty easy to see and to show that that is a really bad assumption. Now, if we are going to have a PKI where a CA is expected to be trusted, then that name must be known by whoever relies on that trust (the user). The alternate is that the CA never needs to stand up to the trust that the user demands, and thus is untrusted. Which is the situation we have now, in that CAs are essentially trusted in lip service only. In reality, whether they are worthy of any trust is a complete lottery, and neither should they bother to earn that trust, because nobody knows who they are anyway. So they can't be punished if they do the wrong thing. >> Further, >> the cert needs to "tracked" by the browser, and a relationship built >> up. I've suggested a usage count (100 times to this site, you must >> like it!). > > That's a reasonable idea - sort of like a history for certs. But still > can't see how you can detect and warn the user of a problem. Do you pop > up "New secure site" every time you visit a new SSL site? No, this isn't an active popup programme, but a passive display programme. There needs to be an area on the chrome that shows the credentials of the site. The information should be blatant and colourful - hence the ideas of branding - so that the user can then see that there are problems in the *absence* of that information. It's a bit like if I were to sell you a can of Coke that was coloured green. I say it's coke, but you know something's wrong coz you've always had familiar red cans. That signal should be sufficient to get the average user thinking a bit more. ( Popups are not going to help, we already know that, from the way that users click through them without understanding them. What I call _click-thru-syndrome_ leads to a fairly easy MITM, although I've only ever heard of a phish doing this once (and it worked on me :-) which makes sense, as it is much easier to just ignore SSL altogether when phishing. ) (Note how these ideas are all designed to force more websites to more blatantly show the use of SSL!) >> Amir and Ahmad have suggested that the user sign off on >> the cert and even coded it up, > > Again, how on earth do you get the user to make a meaningful decision here? Oh, this part is clear - it's based on the fact that the user went to the site on their own volition in order to open an account. They typed in the URL, hopefully from some safe place. They have already made a meaningful decision about their bank, all the browser needs to do is relate that decision back to right site, time and time again. The essence of phishing is to attack an already existing relationship - your account with Citibank for example. It already exists, its got money in it, and the phisher wants it. The essence of the defence is to surface the existing relationship, preferably right back to the start where it is of no value, so that going forward as you build up your account into something worth money, the browser shows you each time that you are with the same account (by using the certs to enable the coke can factor). >> while Tyler has suggested the use of >> petnames for the user's idea of what each site is. > > We have that - it's called bookmark keywords. Ah. That's a very good point. It's half way there! Bookmarks take a user to her site. Once there, they disappear in relevance. The petnames suggestion is that the name that the user labelled their bookmark would be displayed on the chrome, quite prominently. Right now, the only user cue is the favicon, and that perversely can be forged however you want (see my silly forged padlock on http://iang.org/ssl/ for an example). The essence is to provide a *lot* of prominent info so that the user's brain is tweaked when she is on a site without the display. Hence the idea that Verisign's logo should be on the chrome, as well as Citibank's. Also the petname, the count, and whatever else we can think of. Getting back to the bookmarks, if the keyword were to appear on the chrome, that would be it! Yes, it would be a lot of extra stuff; but given the SSL signal - this site is important - and the amount of money being lost to phishing, then a fairly big change to the way browsers think about user interfaces is indicated. Luckily, for all its flaws, the certificates in the browser make a perfect base for tracking site relationships. Without that, it would be a lost cause. iang _______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
