OK, so MAJOR point #1: The meaning of the padlock.
> 2. Acknowledge the typical user's expectation that the display of a
> padlock is something associated primarily with e-commerce or financial
> sites, and basically means "it's safe for you to enter sensitive
> financial or other personal information on this page".
I feel this is uncertain. Here are some reasons why
I feel short of subscribing to this:
a. There is very little documentary evidence of
that meaning, or indeed of any others.
b. There is widespread disagreement among communities,
with the crypto side thinking it means TLS in
place, and the cert sales people saying "read
our CP/CPS."
c. There is evidence that users ignore the padlock
completely when entering sensitive info. This
evidence is substantial: phishing is almost
totally non-padlock based or padlock-spoofed.
d. The CAs do not subscribe to that meaning, as
evidenced that almost all CAs supply certs
without checking 'fitness-for-purpose'.
e. From security model terms, the meaning has no
founding, as the value of "safe" changes from
user to user and from event to event. You can't
say something is safe unless you can tie it down
to contexts and values.
f. There is no research to confirm this as a meaning.
g. The history of the padlock does not agree. When
it originally started, it was a key, with one tooth
for 40 bits and 2 teeth for 128 bits. This meant
that it was safe from eavesdroppers, according to
some cryptorebel measure. But, safety for entering
personal details wasn't what the teethy folks were
thinking. Then it changed to be a padlock, so we
probably have to go back and ask what the padlock
inventors thought it meant.
I'm sure there may be others, for the case for and against.
But the key point here would be that I would see it as
very difficult to rely on that meaning.
( Now, it may be that Mozilla as a community says "ok, so
the meaning wasn't clear, sorry about that, now we are
going to make it clear, and here's what it means!" Sure,
but that's a whole other ball game. )
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
