Re: Quiet in the list...
IanG [EMAIL PROTECTED] writes: 4. Skype. Doesn't do email, but aside from that minor character flaw, it cracked everything else. It's the best example of what it should look like. The UI still leaves quite a lot to be desired. Try sitting a non-geek user in front of a fresh Skype install and see how long it takes them to figure out how to make a phonecall to (say) a Skype user name supplied via email. I've seen times of 15+ minutes to make the first call (OK, so I treat neighbours and family as UI guinea pigs :-). Skype still has a lot of fundamental usability flaws like the inability to remember a password (requiring it to be manually re-entered each time it's run unless you choose to start Skype on system boot) that make it a less-than-perfect example of usable security. The scary thing though is that even with all its flaws, it's still more usable than virtually all other crypto-using apps around. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quiet in the list...
Sidney Markowitz wrote: IanG wrote, On 7/9/08 2:06 AM: Then, when a new Thunderbird comes out, you load that up and the other packages cease to work As far as I recall, the last time Thunderbird had an upgrade it told me that one was available, I clicked to upgrade, and the addons, including Enigmail, continue to work. When there was an upgrade available to Enigmail, same thing. And the upgrade to GNUgpg also installed cleanly with no reconfiguration necessary. It has all been as transparent as can be. ... My experience was the same, although I needed some initial help with GPG. Since then, updates have been trouble-free. My only problem with the security model is that Thunderbird/Enigmail stores encrypted messages in encrypted form, and there is no option to store the plaintext. This use of a communications key for stored data is potentially a nuisance - a key corruption or other compromise, or just a wish to delete an old key for forward security, would cause much trouble. (I keep my mail in an encrypted container anyway, so don't need this feature.) This apart, the system runs with remarkable simplicity. Nicholas Bohm -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 870285(+44 1279 870285) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
More US bank silliness
In the ongoing comedy of errors that is US online banking security I've just run into another one that's good for a giggle: Go to www.wachovia.com and, without entering any credentials, click 'Login' on their unsecured logon page. You get taken to an authenticated, SSL-secured... error message page. The error message page gives you a chance to retry your logon, carefully redirecting you back to the insecure logon page. So displaying a glorified 401 requires SSL, but obtaining user credentials doesn't. (Insert standard moan about US banks here). On a semi-related topic, it'd be interesting to get some discussion about FF3 removing the FF2 SSL indicators of the padlock and (more visibly) the background colour-change for the URL bar when SSL is active and replacing it with a spoof-friendly indicator that's part of the favicon, i.e. part of the attacker-controlled content. The URL bar colouring was by far the most visible security indicator that any web browser had, the giant leap backwards of moving to a near-invisible blue border around the favicon does nothing to indicate security and is trivially spoofed by putting a blue border around the favicon. There's a bugzilla bug filed against it, https://bugzilla.mozilla.org/show_bug.cgi?id=430790 (with inevitable dups, e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=431495) but there's no indication that the FF developers are interested in fixing it. From the discussion thread on bugzilla it seems the reason is that only EV certs matter so there's no point in paying much attention to non-EV certs. (Again, roll standard music about EV certs benefitting no-one but the CAs selling them). Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]