Gervase Markham <g...@mozilla.org> writes: >It depends what alternative configuration-free idiot-proof secure >communications technology you have invented in your fantasy world to take its >place.
Are you really trying to claim that the sad farce that is current browser PKI is absolutely the very best that browser vendors can do in terms of protecting users online? >Whatever the disadvantages of the current system, it must be recognised that >it provides the ability for every single Internet user to have their >communications with any website that opts-in encrypted on the wire without >them having to do, know or configure _anything_. That's huge. So would straight anon-DH. In fact it's interesting to compare the two: Anon- DH provides encryption on the wire, as does browser PKI. Anon-DH has no effect on phishing, but then neither does browser PKI. The one thing that anon-DH doesn't handle is MITM while browser PKI often does, but then again anon-DH allows automatic, transparent crypto everywhere without having to mess around with certificates while browser PKI requires it, so let's call that one a draw depending on which one you consider more important. In terms of "configuration-free idiot-proof secure communications technology", the answer is "pretty much anything but browser PKI". Skype, WhatsApp, Signal, Silent Circle (just off the top of my head, I can google several pages worth of others if you like) all do a pretty good job of providing secure, mutually authenticated communications (which browser PKI still can't do thanks to the failure to launch of client certs) without needing any PKI. Just for one single example, WhatsApp, about a billion or so nontechnical users have no problems with secure communications. Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy