Ram A M wrote:
I think there is value in the concept but it has a major failing from a
usability perspective that falls out of data center operational
practices. How many webservers do you think a big bank has? Some folks
use SSL accelerators in front of their web-server or app-server farm,
some folks have multiple machines wiht independant identities as they
take a different strategy for meeting availability targets (capacity,
uptime, performance). The UI benefit of advising "you've never been
here" would disappear by the time folks noticed that they could get the
warning when it is "clearly" wrong (the tenth time they visit their
bank site and it throws the "new site" warning half the time).
This works very well when you have some other way to authenticat the
site and need only ensure that you are visiting the site again. Of
course one way to authenticate a site is to use PKI as opposed to stand
alone PK techniques.
This is something that Julien brought up and Amir
addressed by setting the border at the CA. As the
user identifies a particular CA as good, the security
app module accepts any cert from that CA.
https://bugzilla.mozilla.org/show_bug.cgi?id=286107#c6
https://bugzilla.mozilla.org/show_bug.cgi?id=286107#c19
Now, this isn't as good as identifying the identity
token of the company via something solid like a cert,
but we have to live with reality. If companies are using
multiple identity tokens with many slight differences, then
something broader may be set as an acceptable boundary
for them.
Where I would raise an eyebrow is if they are using
multiple CAs to craft these multiple identities. If
that is the case, due to voluminous logic found else-
where, then they will be open for attack, IMHO. So
I think it no big hardship to ask a big bank to at
least stick to one CA.
(Bear in mind that the bank should be centrally
controlling the identity certs anyway, as otherwise
they would be opening themselves up to insider theft
of their identity. Also, they have a vested interest
in helping us reduce phishing, so if they see it
working, I suspect they'll be happy to help.)
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
