HJ wrote:
Having troubles reading the text, try this one:
http://multizilla.mozdev.org/screenshots/features/spoofing/new-ssl-site-bimsheet.jpg
First of all, i've just updated my screenshot: http://multizilla.mozdev.org/screenshots/features/spoofing/new-ssl-site-bimsheet-v2.jpg
While you're at it, you should display all the "subject alternative names" in the cert, in addition to the "Common Name".
I came to the same conclusion, at least I hope you are revering at this kind of info:
CN = www.paypal.com OU = Terms of use at www.verisign.com/rpa (c)00 OU = Information Systems O = Paypal, Inc. L = Palo Alto ST = California C = US
The "Common Name" is no longer considered the "right" place to contain the server's domain name. The right place is in the certificate's list of
"subject alternative names", and that list may contain multiple domain
names and/or IP addresses.
It's good to continue to display the common name, as many legacy certificates
still use that. But more and more we see modern certs that don't have the
domain name in the "common name", and hence the server's domain name doesn't
appear in that dialog. If the dialog was fixed to display subject alternate
names, that would help a lot.
It's a shame that this wasn't fixed in mozilla years ago. But PSM is an orphan. You're doing more to help PSM than has been done in a long time, and I (for one) appreciate it. I just wish your work was going into the main mozilla PSM source, rather than into an offshoot.
Well, at least we're discussing a possible solution, and who knows what happens at the end. It sure won't hurt ;)
Lets take this example, Gerv wrote in his paper that SSL History should be user accessible, but I don't agree because what if I go to a public Internet cafe or use Internet from some public computer in my hotel?
Someone might add the wrong validation keys, and I'll end up visiting a phony site, without being notified about my error!
Another problem is that Gerv paper only covers SSL protected sites, but most recent phishing attacks (example: http://www.rceasy.com/paypal/ ) do not even use SSL protection, so I might still be fooled, without being notified.
/HJ _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
