Hi Heikki, On 6/13/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote: > Me and a few others have expressed some doubts about getting petnames > into the default Mozilla installation.
In that email, you prefaced your comments with the admission that you hadn't actually used the petname tool yet. I was holding off on commenting since I've found that actual use clears up many questions. I'll make some rebuttals here, but I really think you should just try using the tool. Like you've asked, I wrote the code. It's your job to run the code now. > It makes a fine optional > extension for security conscious people who are diligent enough to use > it, I think the "lazy user" argument is a seductively easy one to make, but is dubious. Remember that we're talking about people's bank accounts. It's *their* money. People have a real and quantifiable need to protect their money. All the petname tool asks is the one time entry of a few text characters. The cost of entering those characters pales in comparison to the value of the bank account. Further compare the cost of entering a petname to the cost of establishing an online account. The user typically must choose a username and passphrase and complete multiple pages of preferences / demographic information. Adding entry of a petname to this task list is a neglible increase. We can also compare the workload of the petname tool to that of other browser navigation tools. Use of the petname tool is very comparable to bookmarks. Are you going to argue that bookmarks are too hard to use? Finally, the workload of using the petname tool must be evaluated not in isolation, but relative to other anti-phishing tools. The petname tool is much easier to use than the current "Location tool". To guard against phishing, the user must carefully examine each character in the domain name shown in the "Location tool", on each page transition. With the petname tool, the user need only glance at the displayed petname, since a homograph attack is impossible. The per-page-view use costs of the "Location tool" are ridiculously high compared to the petname tool. The per-page-view use costs are the expensive ones. In conclusion, the petname tool is easier to use than the existing Firefox anti-phishing tools and provides stronger protection. When compared to the protected assets, the cost of using the petname tool is trivial. > and are willing to pay for the chrome real estate it takes. I don't understand this complaint. The petname tool is *tiny*. It's just a text field. Tyler -- The web-calculus is the union of REST and capability-based security: http://www.waterken.com/dev/Web/ _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
