Re: Strawman proposal for SSL UI changes

[Gervase Markham]

Ian G wrote:
It's an americanism as far as I know.  You sometimes
see it in the Caribbean, but that would be a sign
that they were trying to appeal to americans, which
is actually a red flag (probably a scam).
I was making the general point - company names are not unique, and CAs 
don't attempt to enforce uniqueness.

Gerv
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Peter Gutmann]

Ian G <[EMAIL PROTECTED]> writes:

>In Firefox 1.0, when the SSL connection is established
>without any problems, Firefox puts the domain name from
>the cert in the bottom right of the status bar (great!).

Having grumbled previously about UI issues, I must say that that's a nice
feature to have.  As Ian says, more, more!

Peter.
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Ram A M]

Gervase Markham wrote:
> Ram A M wrote:
> > 1 One vector site-spoof attacks rely on is hiding the true domain
name.
>
> True - so users should make sure they are certain of the true domain
> before interacting with a site. If they can't be sure, they shouldn't

> interact with it.
>
> Currently, of course, if the connection isn't over SSL, _we_ can't be

> sure that they are connected to a particular domain. And if the
browser
> can't be sure, the user certainly can't.

Fair point. Do you think that regular old homoglyph attacks are so easy
that it's not worth eliminating this type? I'd rather see users trained
to only trust high risk activities to TLS bound connections but
incremental progress is still progress. The confusion point you make
below may very well outweight the perhaps slight benefits this change
would bring.



> > How about if the address bar by default showsonly the domain-name
and
> > the user can change that to be the current behavior. Further the
domain
> > name only appears in the status-bar when TLS is in use and the
domain
> > name of the site is in the certificate?
>
> While we might do the address bar differently if we were starting
> browser design again, I think I can fairly safely say that changing
the
> way it works now is a non-starter from a usability point of view. It
> would be too confusing for users.

I would love to see data on this. I think the majority of non-expert
browser users consider the address bar useful primarily for entering
domain names and secondarily useful for checking where they're at. The
first is reasonable the second is riskier under the current model than
it needs to be. I know better than to glance at the address bar and
draw conclusions (I scroll left and right to be sure it says what it
looks like - or if it's TLS bound I have even better options).



> > Showing the name of the company may. Showing
> > "firstbankofsomewhere.sometld" is not as reliable as showing "First
> > Bank of Somewhere" as the organization name.
>
> I note your example includes a geographical location; not many
business
> names do. How many "First Banks" are there around the world?

I think it holds either way, consider "Bank Cial" who controls some but
not all of: "bankcial.ch", "cialbank.ch", "bankcial.com",
"cialbank.com", "cial.ch".

___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Duane]

Ian G wrote:
Gervase Markham wrote:
Ram A M wrote:

Showing the name of the company may. Showing
"firstbankofsomewhere.sometld" is not as reliable as showing "First
Bank of Somewhere" as the organization name. 

I note your example includes a geographical location; not many 
business names do. How many "First Banks" are there around the world?

It's an americanism as far as I know.  You sometimes
see it in the Caribbean, but that would be a sign
that they were trying to appeal to americans, which
is actually a red flag (probably a scam).
There's First National Realestate in Australia, while not being a bank, 
I'm guessing it's not that unique either...
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Ian G]

Gervase Markham wrote:
Ram A M wrote:

Showing the name of the company may. Showing
"firstbankofsomewhere.sometld" is not as reliable as showing "First
Bank of Somewhere" as the organization name. 

I note your example includes a geographical location; not many business 
names do. How many "First Banks" are there around the world?

It's an americanism as far as I know.  You sometimes
see it in the Caribbean, but that would be a sign
that they were trying to appeal to americans, which
is actually a red flag (probably a scam).
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Gervase Markham]

Ram A M wrote:
1 One vector site-spoof attacks rely on is hiding the true domain name.
True - so users should make sure they are certain of the true domain 
before interacting with a site. If they can't be sure, they shouldn't 
interact with it.

Currently, of course, if the connection isn't over SSL, _we_ can't be 
sure that they are connected to a particular domain. And if the browser 
can't be sure, the user certainly can't.

How about if the address bar by default showsonly the domain-name and
the user can change that to be the current behavior. Further the domain
name only appears in the status-bar when TLS is in use and the domain
name of the site is in the certificate?
While we might do the address bar differently if we were starting 
browser design again, I think I can fairly safely say that changing the 
way it works now is a non-starter from a usability point of view. It 
would be too confusing for users.

Regardingthe value of showing the organization name and country. I say
it's hard to know if "subbrand.sometld" is really owned and operated by
"mega-product company." Showing the domain name to the user does not
address this. 
That's the first good argument I've heard for this change. :-)
Showing the name of the company may. Showing
"firstbankofsomewhere.sometld" is not as reliable as showing "First
Bank of Somewhere" as the organization name. 
I note your example includes a geographical location; not many business 
names do. How many "First Banks" are there around the world?

This is especially true
when certificates are issued to enrollees who demonstrate control of a
domain at most.
We need to deal with that particular issue a different way, IMO.
Gerv
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Ram A M]

Regarding the domain indicator - I assume you mean the one that appears
adjacent to the padlock. I think that's great. However I'll give you
two reasons to allways display the the domain name.

1 One vector site-spoof attacks rely on is hiding the true domain name.

2 How many users look at the address bar all loaded up and say - umm
yeah I'm not a programmer, why are they showing me this nonsense. If
screen-space is so valuable (AND IT IS!!) then we might as well get rid
of stuff that doesn't help people, at least in the default setting.

How about if the address bar by default showsonly the domain-name and
the user can change that to be the current behavior. Further the domain
name only appears in the status-bar when TLS is in use and the domain
name of the site is in the certificate?

Regardingthe value of showing the organization name and country. I say
it's hard to know if "subbrand.sometld" is really owned and operated by
"mega-product company." Showing the domain name to the user does not
address this. Showing the name of the company may. Showing
"firstbankofsomewhere.sometld" is not as reliable as showing "First
Bank of Somewhere" as the organization name. This is especially true
when certificates are issued to enrollees who demonstrate control of a
domain at most.

___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Ian G]

Benjamin D. Smedberg wrote:
Gervase Markham wrote:
The chances of this sort of change to the address bar are near-zero. 
But have you seen the new domain indicator in Firefox 1.0 and above?

What new domain indicator?

In Firefox 1.0, when the SSL connection is established
without any problems, Firefox puts the domain name from
the cert in the bottom right of the status bar (great!).
It also colours the URL bar at the top yellow (nice!).
It's a great start.  (more! more!)
As an example of great experimentation the Firefox guys
also added another padlock inside the the URL bar on the
right hand side.  Unfortunately, by means of a cunning
technology called favicons, one can also have ones own
padlock on the left hand side:
http://www.pgp.com/
But every little experiment helps!
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Benjamin D. Smedberg]

Gervase Markham wrote:
The chances of this sort of change to the address bar are near-zero. But 
have you seen the new domain indicator in Firefox 1.0 and above?
What new domain indicator?
--BDS
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Gervase Markham]

Ram A M wrote:
Agree. To repeat a comment I made in another thread, I think the
default address bar should not list pre-protocol-specifier items
(username/password@) nor post host-name data (/foo/bar/some.jsp), an
option should be to change back to the currently popular model of
showing the full gory bits.
The chances of this sort of change to the address bar are near-zero. But 
have you seen the new domain indicator in Firefox 1.0 and above?

* Retain the current "normal case" SSL/TLS Firefox UI:
  - display locked padlock in status bar
  - location bar background is yellow
  - site domain name from certificate is displayed in status bar
Again I say show the certificate subjectDN (organization, country..)
and the basic domain name not the full address bar, these are valuable.
Why do you think they are valuable, given that we already display the 
domain name, which is unique?

Gerv
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Gervase Markham]

Frank Hecker wrote:
Gervase Markham wrote:
On a related point, can we perhaps use this new high/low assurance bit
Uh, what new high/low assurance bit? Has someone already committed to 
implement this, and we've agreed to take the patch? :-)
You know what I mean :-) If we have a new high/low assurance bit...
1. A number of "high assurance" CAs do not have OCSP set up. In doing my 
CA list at

  http://www.hecker.org/mozilla/ca-certificate-list
(which covers only new CAs applying for inclusion) I tried to track down 
information on CA's OCSP services; as you'll note, it's not that common. 
However providing CRLs is almost universal, but...
OK... so could we stipulate OSCP or CRLs?
2. Neither Firebird nor Thunderbird have CRL checking (let alone OCSP 
validation) turned on by default; it must be manually enabled by users 
(e.g., by clicking on a link to a CRL -- try one of the ones on the page 
referenced above). This is a big product gap that needs to be filled, 
e.g., by recruiting some more NSS/PSM developers.
Sure. Although one could argue that the fact that we don't take 
advantage of it yet is no reason not to stipulate it...

Gerv
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Ram A M]

A quick point, the idea of including a statement of relying party
warranty has great potential. A cert extension in EE, chain, or root
certificates could include a numeric value. There is some work to be
done in terms of standardization (actually IIRC I saw a post indicating
this work is done, underway, or imminent). There are issues around
currency - it could be specified in Euros, US Dollars, Gold weight or
others, there are probably at least a few conventions that would
suffice (probably not a currency that is prone to heavy devaluation).

___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Ram A M]

Great job Frank.

Frank Hecker wrote:

> Briefly, the motivations behind this proposal are as follows:

I like the foundation.


> Without further ado, here's the proposal:
>
> * Retain the current Firefox UI when SSL/TLS is not used:
>
>- no padlock or other SSL/TLS-related indicator in status bar
>- location bar background is white
>- site domain name is *not* displayed in the status bar

Agree. To repeat a comment I made in another thread, I think the
default address bar should not list pre-protocol-specifier items
(username/password@) nor post host-name data (/foo/bar/some.jsp), an
option should be to change back to the currently popular model of
showing the full gory bits.


> * Retain the current "normal case" SSL/TLS Firefox UI:
>
>- display locked padlock in status bar
>- location bar background is yellow
>- site domain name from certificate is displayed in status bar

Again I say show the certificate subjectDN (organization, country..)
and the basic domain name not the full address bar, these are valuable.
I like the dispaly of authenticated domain-names in the status bar (ie
if they come from a cert at the site).

For the rest of the UI variations I need to give it a lot more thought
than I have time for at the moment. Mock-ups would probably make a big
difference in conveying the ideas (I'm not asking for them, but I'm not
likely to make them either).


> Some follow-on comments:

> * The UI for SSL/TLS with low-assurance certs should be similar but
not
> identical to that for high-assurance certs.

I don't have a strong sense of what the right feedback mechanism should
be. But some things to consider feedback for, some of which you address
(and most not in the terms presented in the list):

=MoFo policy "high assurance"
=MoFo policy "low assurance"
=MoFo policy "no assurance"
=Unknown issuer
=Entity name authenticated
=Domain name authenticated
=Certificate is revoked (perhaps revoked should never be accepted
without going through a deep options menu)
=Certificate is expired (note that CAs may not offer revocation
checking for expired certificates, either by purning CRLs or by
refusing OCSP service)
=Certificate domain-name matches DNS domain-name
=Number of visits to site (the problem here is this wil sometimes
unduly scare the user - consider how many dns names WFB uses for their
service)


> * This proposal in a sense "breaks" existing sites using
low-assurance
> certs, since users of those sites will no longer see the padlock. To
> ease in the transition, it may be appropriate to put up a warning
dialog
> or informational message the very first time the browser encounters a

> low-assurance cert, so that the user will be informed about what is
> going on and will (we hope) be less confused when they see the
checkmark
> instead of the padlock.

I like this model many users are completly new users and giving them
these kinds of tidbits goes a long way to educating them - few will
read a dummy's guide. There should be at least such a pop-up for every
note-worthy new event (first high assurance, first low assurance, first
domainname mismatch, first unknown CA, first revoked, first expired,
change of CA for known site (possible DNS attack).


> * In the case of a self-signed cert or cert from an unknown CA,
Firefox
> should *not* offer users the opportunity to accept the certificate or

> the certificate's issuing CA as "trusted", at least not from the
> immediately visible UI.

This seems a necessarily compromise to avoid the 'click through
everything' behavior the user seems to have today.


> * In the case of a cert from a known CA but with an non-matching
domain
> name, the warning dialog should be displayed at least once per
browser
> session, without the possibility of turning it off permanently for
that
> site. If an informational message is displayed in this case, then
> perhaps its dropdown menu can contain an option to not display the
> informational message in the future for not matching domain names
> (similar to the option for self-signed certs or unknown CAs); in this

> case the UI indicators would remain the same, except for an "X" mark
> replacing the "exclamation mark in circle" accompanying the original
> informational message.

This may be a bit complicated but I don't have a better suggestion off
hand.


> (I don't think it makes sense to not display a status bar indicator
at
> all after dismissing the information message, and to treat this case
the
> same as a non-SSL site. There really is something wrong with the site
--
> it's either misconfigured or is using a stolen key and cert -- and
the
> UI should reflect that.)

Agree.


> * A "high assurance" certificate can be defined at a high level as "a

> certificate issued only after some level of human review of the cert
> subscriber", whereas a "low assurance" certificate might be issued
> through an automated process,

I suggest the inclusion of technical robustness criteria as well.
Consider that 

Re: Strawman proposal for SSL UI changes

[Frank Hecker]

Gervase Markham wrote:
On a related point, can we perhaps use this new high/low assurance bit
Uh, what new high/low assurance bit? Has someone already committed to 
implement this, and we've agreed to take the patch? :-)

in the cert store as something to hang cert revocation off? If you want 
to be in the high assurance store, you have to have a working OCSP 
server defined in your certs, or something like that?
Two points:
1. A number of "high assurance" CAs do not have OCSP set up. In doing my 
CA list at

  http://www.hecker.org/mozilla/ca-certificate-list
(which covers only new CAs applying for inclusion) I tried to track down 
information on CA's OCSP services; as you'll note, it's not that common. 
However providing CRLs is almost universal, but...

2. Neither Firebird nor Thunderbird have CRL checking (let alone OCSP 
validation) turned on by default; it must be manually enabled by users 
(e.g., by clicking on a link to a CRL -- try one of the ones on the page 
referenced above). This is a big product gap that needs to be filled, 
e.g., by recruiting some more NSS/PSM developers.

Frank
--
Frank Hecker
[EMAIL PROTECTED]
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Ian G]

Gervase Markham wrote:
On a related point, can we perhaps use this new high/low assurance bit 
in the cert store as something to hang cert revocation off? If you want 
to be in the high assurance store, you have to have a working OCSP 
server defined in your certs, or something like that?

That would be to impact the definition of "high" assurance
with the policy aspects of getting OCSP going.  Until OCSP
is up and going and shown to be a really good idea, it is
not a good idea to link it to another area of uncertainty.
The unintended consequences of that might actually make
either of "high" assurance or OCSP more difficult to get
going.
If one wanted to signal that OCSP was correlated to "high"
assurance, maybe the notion is to put another little icon
on the status bar that said "OCSP in action."  Then, as
time goes on, we could see if that became a good signal of
quality or not?
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Gervase Markham]

On a related point, can we perhaps use this new high/low assurance bit 
in the cert store as something to hang cert revocation off? If you want 
to be in the high assurance store, you have to have a working OCSP 
server defined in your certs, or something like that?

Gerv
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Frank Hecker]

Peter Gutmann wrote:
"Location bar is something more noticeable than yellow".  Have you ever looked
at the pastelly-white vs. pale-yellow location bar on a laptop LCD screen in
bright room light or outdoors?  The two are virtually indistinguishable.  I've
seen older laptops with either poor-to-begin-with or faded-over-time LCDs
where you can't actually tell the difference between the two colours.
This is a valid point. I guess alternatives would include a different 
color and/or some sort of patterned background to further increase the 
contrast.

Frank
--
Frank Hecker
[EMAIL PROTECTED]
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[J. Wren Hunt]

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
HJ wrote:
|> 2) Some important sites are not using SSL for their login pages - Yahoo
|>   apparently being one.
|
|
| I have a Yahoo e-mail account, and that uses SSL for logins.
| Are you talking about the free Yahoo webmail or paid Yahoo e-mail
accounts?
|
I recently had occasion to traipse through Yahoo!'s login process - it's
actually rather neat: if you choose the non-default "Secure" login then
you're connected via SSL as expected. If you take the default "Standard"
login route, it then checks to see if your browser supports Javascript
and has it enabled then it generates a password hash for login. If you
have Javascript disabled, etc., then it *falls back* to the "Secure"
login. Rather slick! I think their "Standard" login description is a bit
of a misnomer in this case.
- --
Cheers!
J. Wren Hunt
Cambridge, MA. USA
- 
"In theory, there is no difference between theory and practice. But, in
practice, there is." - Jan L.A. van de Snepscheut
+--+
| v-card   http://wrenhunt.homelinux.org/data/wren.vcf |
| x.509http://wrenhunt.homelinux.org/data/thawte_wren_hunt.cer |
| OpenPGP  ADF5 1432 A59E 8F4D 4AE7  4DFE 03FA 91E1 4A24 D6F4  |
+--+
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1rc2 (Darwin)
iD8DBQFCODOAA/qR4Uok1vQRAwEIAJ0WoiaDwl40ByQhvhK49wuBLNfb5gCg3c3W
NcKXJO/IoRADrUCuakz0UO0=
=Yudv
-END PGP SIGNATURE-
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Peter Gutmann]

Frank Hecker <[EMAIL PROTECTED]> writes:

>* Retain the current Firefox UI when SSL/TLS is not used:

>   - location bar background is white

>* Retain the current "normal case" SSL/TLS Firefox UI:

>   - location bar background is yellow

"Location bar is something more noticeable than yellow".  Have you ever looked
at the pastelly-white vs. pale-yellow location bar on a laptop LCD screen in
bright room light or outdoors?  The two are virtually indistinguishable.  I've
seen older laptops with either poor-to-begin-with or faded-over-time LCDs
where you can't actually tell the difference between the two colours.

Peter.
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[HJ]

Gervase Markham wrote:
HJ wrote:
I have a Yahoo e-mail account, and that uses SSL for logins.
Are you talking about the free Yahoo webmail or paid Yahoo e-mail 
accounts?

This was Dan's example; and I think he meant the login page was 
unencrypted but submitted to an encrypted target. Amazon does this also, 
I've noticed.
Yep, correct, which is probably done to save server resources.
2) We need a way to brand every browser window so that it can't be
   confused with an OS window. Just the status bar - a featureless grey
   blob - doesn't really do that. Having the domain makes it clear.

There is, or should be, (for now) that Mozilla Firefox icon (at least 
on Windows) at the upper left corner of the window (I don't have a 
clue what the official for it is).

Hmm, well, maybe. It's not really enough, though.
Fair enough, but it might help, at least for now.
ps s/official/official name
Gerv
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Gervase Markham]

HJ wrote:
I have a Yahoo e-mail account, and that uses SSL for logins.
Are you talking about the free Yahoo webmail or paid Yahoo e-mail accounts?
This was Dan's example; and I think he meant the login page was 
unencrypted but submitted to an encrypted target. Amazon does this also, 
I've noticed.

2) We need a way to brand every browser window so that it can't be
   confused with an OS window. Just the status bar - a featureless grey
   blob - doesn't really do that. Having the domain makes it clear.
There is, or should be, (for now) that Mozilla Firefox icon (at least on 
Windows) at the upper left corner of the window (I don't have a clue 
what the official for it is).
Hmm, well, maybe. It's not really enough, though.
Gerv
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[HJ]

Gervase Markham wrote:
Frank Hecker wrote:
What's your and Dan's motivation for doing that? Because the domain 
name as displayed in the address bar may be misleading (e.g., by 
people doing tricks to spoof the name as displayed)?

There were several reasons behind the decision. There is discussion in 
https://bugzilla.mozilla.org/show_bug.cgi?id=262366 . Basically:

1) Most phishers are currently not using SSL, and people are left 
parsing complex URLs in the URL bar.

2) Some important sites are not using SSL for their login pages - Yahoo
  apparently being one.
I have a Yahoo e-mail account, and that uses SSL for logins.
Are you talking about the free Yahoo webmail or paid Yahoo e-mail accounts?
2) We need a way to brand every browser window so that it can't be
   confused with an OS window. Just the status bar - a featureless grey
   blob - doesn't really do that. Having the domain makes it clear.
There is, or should be, (for now) that Mozilla Firefox icon (at least on 
Windows) at the upper left corner of the window (I don't have a clue 
what the official for it is).

I'm still not really convinced it's a good idea, but the real reason I 
agreed to it, though, was that otherwise Dan was threatening to port his 
Firefox 1.0.1 patch which puts the URL in the _title_ bar on popups (as 
IE now does) over to the trunk. :-) And I figured that if we were 
determined to display the domain somewhere on insecure popups, at least 
we should:

- be consistent
- keep security UI to the status bar, without letting it creep
  everywhere
- avoid the problems IE has with their title bar implementation.
Gerv
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Gervase Markham]

Frank Hecker wrote:
What's your and Dan's motivation for doing that? Because the domain name 
as displayed in the address bar may be misleading (e.g., by people doing 
tricks to spoof the name as displayed)?
There were several reasons behind the decision. There is discussion in 
https://bugzilla.mozilla.org/show_bug.cgi?id=262366 . Basically:

1) Most phishers are currently not using SSL, and people are left 
parsing complex URLs in the URL bar.

2) Some important sites are not using SSL for their login pages - Yahoo
  apparently being one.
2) We need a way to brand every browser window so that it can't be
   confused with an OS window. Just the status bar - a featureless grey
   blob - doesn't really do that. Having the domain makes it clear.
I'm still not really convinced it's a good idea, but the real reason I 
agreed to it, though, was that otherwise Dan was threatening to port his 
Firefox 1.0.1 patch which puts the URL in the _title_ bar on popups (as 
IE now does) over to the trunk. :-) And I figured that if we were 
determined to display the domain somewhere on insecure popups, at least 
we should:

- be consistent
- keep security UI to the status bar, without letting it creep
  everywhere
- avoid the problems IE has with their title bar implementation.
Gerv
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Frank Hecker]

Gervase Markham wrote:
Er... a slight snag here is that dveditz and I just agreed that we would 
start displaying domain names on non-secure sites.
What's your and Dan's motivation for doing that? Because the domain name 
as displayed in the address bar may be misleading (e.g., by people doing 
tricks to spoof the name as displayed)?

Frank
--
Frank Hecker
[EMAIL PROTECTED]
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Frank Hecker]

Gervase Markham wrote:
Frank Hecker wrote:

5. Discourage typical users from modifying the default list of 
"trusted" CAs and certificates, in particular by adding new site or CA 
certs as warning dialogs pop up.
I'm not sure I understand this sentence.
I meant the following: Right now when you connect to a site that 
presents a self-signed SSL cert, or an SSL cert issued by a CA not 
currently in the Firefox/NSS default list (or in the list, but with SSL 
"trust bit" set to "no"), the user is presented with a warning dialog 
that (among other things) offers them the option to "trust" the site 
cert and/or the CA cert on a permanent basis. This in turn causes at 
least some end users to modify the default cert list simply in order to 
get past the warning dialog and get on with viewing the page.

(The user could also cancel the connection or accept the cert only for 
the current session, of course, but I suspect a significant percentage 
of people actually accept the site or CA cert permanently.)

I believe that we should discourage such behavior, by removing the 
warning dialog entirely. Instead Firefox should simply display the web 
page in question without popping up a dialog, with some UI indicator to 
indicate that the page was not retrieved via a "normal" SSL connection. 
(For example, I suggested displaying a question mark instead of a 
padlock, and not changing the address bar background at all.) If the 
user then wants to actually "trust" the site or CA cert they could do so 
in some other way, e.g., through a menu item on an informational message 
dropdown, or through FF preferences, or whatever. But making such a 
decision would be optional, not forced through use of a modal dialog.

Note that this issue is entirely separate from the issue of using 
different UI for "low asurance" vs. "high assurance" certs, and IMO 
should be considered no matter what people decide om the latter issue.

Frank
--
Frank Hecker
[EMAIL PROTECTED]
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Gervase Markham]

Frank Hecker wrote:
2. Acknowledge the typical user's expectation that the display of a 
padlock is something associated primarily with e-commerce or financial 
sites, and basically means "it's safe for you to enter sensitive 
financial or other personal information on this page".
I'd concur that this is what users who notice the padlock at all expect 
it to mean.

5. Discourage typical users from modifying the default list of "trusted" 
CAs and certificates, in particular by adding new site or CA certs as 
warning dialogs pop up.
I'm not sure I understand this sentence.
Without further ado, here's the proposal:
* Retain the current Firefox UI when SSL/TLS is not used:
  - no padlock or other SSL/TLS-related indicator in status bar
  - location bar background is white
  - site domain name is *not* displayed in the status bar
Er... a slight snag here is that dveditz and I just agreed that we would 
start displaying domain names on non-secure sites. But that's not set in 
stone. I've invited him over here to participate.

Having read your proposal, I think I'm going to do some "thinking out 
loud".

We want to clearly indicate the following information, all of which is 
useful:

1) Can I be certain I'm connected to the domain in the URL bar? Yes/No
2) Is the connection encrypted? Yes/No
3) Can I put my CC number into this web page? Yes/No
1) could be fulfilled by a high-assurance cert, low-assurance cert, 
self-signed cert or Secure DNS.

2) could be fulfilled by any sort of cert, and is a subset of 1).
3) is a subset of 2), and is fulfilled when there is a high-assurance cert.
If this is true, then it's just a matter of determining the UI. Here's 
one suggestion:

We have a tick for "domain name verified" (case 1)
We have the yellow background for "encrypted" (case 2)
We have the lock (instead of the tick) for "CC-safe" (case 3)
My only concern with this plan is that then the UI difference between 
cases 2 and 3 is not as visible as it could be. But it's only a plan - 
the real question is, is my 1/2/3 division correct?

Gerv
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Frank Hecker]

Frank Hecker wrote re insurance related to certs:
However I think in practice this approach might be problematic, for a 
variety of reasons. First, CAs have much fewer economic incentives to 
care about relying parties (who aren't actually their customers) than 
they do about subscribers (who are the ones paying them). Second, even 
assuming that the cost of getting sued by relying parties is such an 
economic incentive, it's quite possible that lawyers for CAs would be 
easily able to blunt the impact of such suits, e.g., by pointing to 
contributory negligence on the part of the relying party and/or escape 
hatches for the CA. ("You didn't view the certificate details and look 
at the certificate policy governing the certificate?" "You didn't read 
the relying party agreement, particularly the limitation of liability 
section?" And so on.)
One very quick comment: The point I was trying to make here is that I 
think it's unlikely that relying parties who got phished would actually 
be able to recover damages from CAs, which causes problems for a 
market-based approach involving insurance. Similar reasons to those 
holding back Bruce Schneier's idea of improving the security of software 
via holding software vendors liable (with insurers then prodding vendors 
to clean up their act) -- the s/w vendors today have little or no 
(legal) reason to care, and no one in a position to do so (e.g., 
government) is forcing them to care.

Till later,
Frank
--
Frank Hecker
[EMAIL PROTECTED]
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Frank Hecker]

Ian G wrote:
Now for MAJOR point #2.  What is the definition of "assurance" ?
And what is meant by "high assurance" ?
I'll apologize in advance for not addressing all your points, both in 
this message and your others. I have a tight time window for doing this 
sort of thing, and I wanted to concentrate on a couple of key points below.

Frank Hecker wrote:

The reason for making the "high/low" distinction depending on the 
presence or absence of human review is that this is directly related 
to the cost (in time and/or money) of doing phishing attacks that 
direct people to SSL-protected sites.

OK, this is getting closer to a rationale of economic
security.  For the phisher, there is only one question,
which is how much does it cost me and how much do I earn?
Agreed, which is why I think realistically any notion of "assurance" has 
to ultimately justify itself based on economic analysis. To expand on 
your comments on the threat du jour represented by phishing, pharming, 
etc., one presumed thing we want to prevent (as I noted) is phishers 
getting throwaway certs for throwaway domains, and thereby being able to 
more convincingly impersonate "real" ecommerce and financial sites.

(Note that I don't certainly don't think this is the only possible 
anti-phishing defense, or even necessarily the best one, but it 
certainly seems to be what people are concerned about in the whole 
series of discussions we've been having re "raising the bar" relative to 
CAs. Hence my interest in putting out a strawman proposal on how to do 
this, to make the discussion less abstract and more concrete.)

Here's my attempt at a quick "back of the envelope" analysis of the 
economics of phishing as they relate to SSL certs (not a real analysis, 
but a mere sketch): "How much do I earn" could be quantified as expected 
"revenue" per day resulting from standing up a given phishing site at a 
given domain, times expected lifetime of that site at that domain (e.g., 
before the domain or server is taken down by others or blocked by 
phishing blacklists or whatever). (Expected "revenue" per day is 
dependent on other factors, such as the type of site being impersonated, 
number of phishing spam emails sent out, etc., but we'll leave all that 
aside for now.)

"How much does it cost me" could be quantified by some formula involving 
the direct monetary cost of the SSL cert, related monetary costs of 
applying for the cert (e.g., cost of obtaining fraudulent id documents), 
the time required to get the cert (which equates to potential "revenue" 
lost from that domain that could otherwise be "earned" in the meantime), 
the probability of the cert application being rejected (more lost time, 
assuming rejection is not instant), and the probability of the phishing 
fraud being traced back to the actual phisher (which combined with the 
probability of being caught by law enforcement and convicted of 
something, plus the expected fines and/or jail time, equates to loss of 
future gains from phishing, which can then be used to calculate a net 
present value figure to go into the overall cost estimate). There may be 
other elements I haven't thought of, but these will serve as examples.

Given such a calculation, we could (at least in theory) define a "high 
assurance" cert for our purposes as a cert whose cost to the phisher 
exceeds the expected "revenue" (i.e., fraudulent gain) for the domain 
with which the cert is associated. Whether we could make such a cost 
calculation in practice is of course uncertain, but I don't think it's 
totally out of the question given sufficient motivation to collect the 
data and do the calculations.

The other thing I'll note here is that under this approach CAs could 
have wildly different attributes but still have the same resulting 
expected costs from the phisher's point of view. For example, one CA 
might sell cheaper certs (or even provide free certs) than another CA, 
but might require a week to issue a cert where the more expensive certs 
might require only a day. Or, in your example of the automated but 
arguably high assurance CA using smart cards, etc., the short time 
required to get a cert might be balanced by an increased likelihood of 
fraudulent applicants being detected and an increased risk of 
significant consequences arising from violations of national id laws.

The problem then is for the defender to say "how much is
this cert worth?"  The relying party and the cert owner
both have the same question.  Now, the question is *not*
totally answered by "how much does it cost?"  As I described
above, the cost of production of the cert is only a very
weak indicator of how much it is worth.
If by "cost of production" you mean marginal cost to the CA of issuing 
the cert (including variable costs, e.g., labor, plus amortized fixed 
costs) and by "how much is it worth" you mean something like my "cost to 
the phisher relative to expected revenue" then I'm with you, dude :-)

The best way to answe

Re: Strawman proposal for SSL UI changes

[Frank Hecker]

Jean-Marc Desperrier wrote:
A few days ago, I reached pretty similar ideas as a conclusion of the 
recent debatting, reinforced by remembering how valid the old SSL 
usability rant of Matthew Thomas was 
(http://mpt.phrasewise.com/2003/11/11), 
Great rant, but as with many rants I notice MPT didn't propose any real 
alternative approaches (which is why I like Ian's rants better than 
MPT's :-)

Just a few things :
- There's too many cases. Only experts are actually interested in why 
the site is not secure, just tell the general public that it's not, and 
you have to open the details windows to learn why.
So below I will discuss several ways of restricting the options to a 
minimum.
Actually I think in practice Firefox users (to the extent they're paying 
attention at all) pay most attention to the yellow background appearing 
in the location bar. (As a personal anecdote, I've been using Firefox 
for almost a year now and only noticed last night that -- unlike Mozilla 
-- Firefox does *not* display an open lock on a page not using SSL/TLS, 
it just shows nothing.) The yellow bar could remain a binary option, 
displayed only in the "high-assurance" case, with the status bar icons 
being secondary indicators that could be multi-state.

There's quite a lot that can be debatted about the 
"high-assurance"/"low-assurance" distinction.
It might be good to implement first the second, and allow more time to 
think about what we want for the first.
Well Ian would say (and I can't blame him) "if you can't define low vs. 
high, why bother implementing a UI to show the difference?" IMO his 
question needs to be addressed in some manner.

- "high-assurance" is something new, I'd see a new icon.
I disagree. I think that in the context of the CA market and the web as 
it's evolved "low assurance" is the new thing, and that typical user's 
expectations (to the extent they have expectations at all -- some 
clearly don't) are that the lock means "good for e-commerce and finance".

In any case, we need to limit the case as much as possible, so 
alternatively what I'd see is : nothing/a discreet check mark/lock.
This is basically what I proposed for the "normal" cases, so I presume 
you're objecting only to using icons for the "unusual" cases.

> Cliking the "check mark" would show the detail windows.
I presume you mean double-clicking the check mark (i.e., to bring up the 
"Page Info" window). In Firefox a single click on the padlock does 
nothing, so the same should hold true for clicking on a checkmark.

This said, I'd see a closed eye icon, rather than a check mark for this.
Choice of icon is up for debate. I like the check mark because it's tied 
to the display of the domain name from the cert and whether it does or 
doesn't match the requested name.

- About the non-matching cert name, many people misconfigure servers, 
it's not definitively showing an attack attempt. That's why, and also in 
order to limit the number of possible case, I'd just remove the warning 
(warning are bad, the blocked popups warning is less bad but is still 
bad), and display the normal GUI as if there's no encryption in that case.
Removing the warning popup is OK I think, but I think there should be 
some indication of a problem for non-matching cert names. Otherwise we'd 
be displaying a domain name in the status bar, one that doesn't happen 
to match the one in the location bar, with no graphical indicator (like 
the "X" or whatever) that might serve to draw the user's attention to 
that fact.

That's all the time I have now. I'll try to comment more this weekend 
sometime.

Frank
--
Frank Hecker
[EMAIL PROTECTED]
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Frank Hecker]

(I don't have time for detailed responses right now, but will try a 
quick one or two.)

Duane wrote re discouraging users from modifying the default cert database:
There was a bug on bugzilla for this and it has since been marked won't 
fix...

https://bugzilla.mozilla.org/show_bug.cgi?id=276827
You should also have a look at:
https://bugzilla.mozilla.org/show_bug.cgi?id=267515
Note that I'm *not* in favor of totally locking users out from accepting 
new CA certs or server certs as valid. Rather what I would like to see 
us eliminate is forcing such decisions on naive users by presenting them 
with warning dialogs that have to be clicked through to proceed. That's 
why I think connecting to sites with self-signed certs or sites with 
certs from unknown CAs should *not* cause warning popups, but should 
include informational messages by which users who wanted to could get 
more information and the opportunity to accept new server or CA certs.

Adding a new cert could be a menu item right off an informational 
message dropdown menu (probably more suitable for adding a self-signed 
server cert), or could be on a subsequent dialog box; the main point is 
that users wouldn't have to do anything, they could just view the page 
and not worry about having to answer questions they don't necessarily 
understand.

Frank
--
Frank Hecker
[EMAIL PROTECTED]
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Ian G]

Now for MAJOR point #2.  What is the definition of "assurance" ?
And what is meant by "high assurance" ?
Luckily Frank dives right in here below and defines "high assurance."

Frank Hecker wrote:
* A "high assurance" certificate can be defined at a high level as "a 
certificate issued only after some level of human review of the cert 
subscriber", whereas a "low assurance" certificate might be issued 
through an automated process, e.g., one that simply verifies that the 
cert subscriber controls the domain listed in the certificate. With a 
low-assurance cert we can assume there is some basic protection against 
certain types of phishing attacks (e.g., attacks based on DNS spoofing), 
but we don't necessarily want to give the user the impression that the 
site is in the same category as traditional e-commerce/financial sites 
where they've been conditioned to look for the padlock.

Out of the above, I see these things:
A meaning for "high assurance" certificates is:
"is a traditional e-commerce/financial site."
A test for "high assurance" certificates is "human review."

A meaning for "low assurance" certificates is that
the domain is as it says it is.
A test (of sorts) is that the issuance is automated.
That's a little bit strained, but might do for now.
The issues then arise that actually, these definitions don't
buy you enough to be worth the effort.  For example, imagine
I want to start selling high assurance certs for $10.  If the
test is human review, I simply employ nepalise school kids to
do a bit of browsing and reading of faxed documents.
Alternatively, imagine we live in the future world of strong
identity tokens, like they do in some countries in Europe.
http://www.financialcryptography.com/mt/archives/000249.html
So, with a little bit of jiggery with smart card readers and
so forth, I can set up a system that issues individual level
certs to people who over the net plug in their smart card,
sign the request and get the delivery sent to their secure
email address.  Not only have I got reliable chain from
smart card to email delivery, I also have the law backing
me up, as once signed by a smart card, it is an accepted
signature and contract.
Hey presto, I can set up a "high assurance" certificate
delivery system and I can automate the lot.  I know it is
high assurance because every step along the way is high
assurance, the linkages are high assurance, and the courts
are high assurance.

OK, so having broken the meaning and the test (sorry Frank!)
why is this?  Well, it relates directly to the failure to
define "assurance".  Unless assurance is defined, there can
be no meaning to "high assurance" and no tests.  Hence,
although the meanings and tests can be imagined and proposed,
the only thing we have to go on is gut feel.  Does it feel
right?  As an example:  "automation is too easy ... so it must
be bad for high assurance, right?"  Well, maybe.
_The challenge then is to define assurance_.  This is really
tough.  The obvious problem is that assurance depends on
who and when we are talking about.  Is it:
   * Lazy lina who is buying a book from amazon?
   * Dodgy dan who is surfing porn with his wife's credit card?
   * General Jim who is just sneaking back to the NSA so as to
 up load his night's work on the latest threats to the nation?
   * Teenaged Timmy who's chatting with his girlfriend and trying
 to score without his kid sister peaking and spoiling everything?
   * Crypto Che who's sending the plans for the rebel attack to the
 revolutionary high command?
All of these contexts result in highly distinct threat scenarios.
SSL "covers them all."  What is high for one may be low for another,
and vice versa.
As we know, the imposition of the binary security model has a
difficulty in the real world of browsing.
In practice, it cannot find peace in any "high assurance" model,
as there is no way to deliver that "high assurance" to all those
people.  It *can* find peace in the "low assurance" model, but
only by settling on the lowest common denominator - the least
protection.
Which annoys everyone.  Hence the demands for "high assurance"
but these demands simply repeat the conundrum - how to define
"high assurance" and more basically, what is assurance?
Replacing a binary security model with a ternary security model
does not solve the problem.  It does one thing for us, which is
to isolate and point fingers at the problem ... but that isn't
enough to solve it.

So in order to define assurance, we need something hard:

The reason for making the "high/low" distinction depending on the 
presence or absence of human review is that this is directly related to 
the cost (in time and/or money) of doing phishing attacks that direct 
people to SSL-protected sites. Just as the low cost of domain 
registration allows phishers to register "throw-away" domains for their 
sites, evading anti-phishing defenses based on flagging URLs that 
contain IP addresses instead of domain

Re: Strawman proposal for SSL UI changes

[Ian G]

OK, so MAJOR point #1:  The meaning of the padlock.
> 2. Acknowledge the typical user's expectation that the display of a
> padlock is something associated primarily with e-commerce or financial
> sites, and basically means "it's safe for you to enter sensitive
> financial or other personal information on this page".
I feel this is uncertain.  Here are some reasons why
I feel short of subscribing to this:
  a.  There is very little documentary evidence of
  that meaning, or indeed of any others.
  b.  There is widespread disagreement among communities,
  with the crypto side thinking it means TLS in
  place, and the cert sales people saying "read
  our CP/CPS."
  c.  There is evidence that users ignore the padlock
  completely when entering sensitive info.  This
  evidence is substantial:  phishing is almost
  totally non-padlock based or padlock-spoofed.
  d.  The CAs do not subscribe to that meaning, as
  evidenced that almost all CAs supply certs
  without checking 'fitness-for-purpose'.
  e.  From security model terms, the meaning has no
  founding, as the value of "safe" changes from
  user to user and from event to event.  You can't
  say something is safe unless you can tie it down
  to contexts and values.
  f.  There is no research to confirm this as a meaning.
  g.  The history of the padlock does not agree.  When
  it originally started, it was a key, with one tooth
  for 40 bits and 2 teeth for 128 bits.  This meant
  that it was safe from eavesdroppers, according to
  some cryptorebel measure.  But, safety for entering
  personal details wasn't what the teethy folks were
  thinking.  Then it changed to be a padlock, so we
  probably have to go back and ask what the padlock
  inventors thought it meant.
I'm sure there may be others, for the case for and against.
But the key point here would be that I would see it as
very difficult to rely on that meaning.
( Now, it may be that Mozilla as a community says "ok, so
the meaning wasn't clear, sorry about that, now we are
going to make it clear, and here's what it means!"  Sure,
but that's a whole other ball game. )
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Ian G]

OK, sounds like fun :)  Following are some MINOR comments
that hopefully would improve the proposal ... I'll post
my two MAJOR comments under separate cover.
iang

Frank Hecker wrote:
Prompted by some comments by Gerv Markham, the following is an strawman 
proposal for changing the Firefox UI relating to web pages retrieved via 
SSL/TLS. It was created upon waking in the middle of the night, so 
please feel free to treat it with extreme skepticism :-)

(This is relevant to both n.p.m.security and n.p.m.crypto, so I'm 
cross-posting to both forums, but I'm setting followups to 
n.p.m.security to direct discussions to the wider audience associated 
with that forum.)

Briefly, the motivations behind this proposal are as follows:
1. Make the SSL/TLS UI as simple as possible, but not simpler.

I'm not as yet sure what you mean by the "SSL/TLS UI" ...
hopefully that will become clear.
(padlock?  edit/prefs/privacy?)
2. Acknowledge the typical user's expectation that the display of a 
padlock is something associated primarily with e-commerce or financial 
sites, and basically means "it's safe for you to enter sensitive 
financial or other personal information on this page".

3. At the same time, allow for other legitimate uses of SSL/TLS beyond 
the traditional e-commerce/financial uses, and in particular promote 
wider use of SSL/TLS as a useful component of a comprehensive 
anti-phishing strategy.
OK.  (I've written on the goal of security elsewhere.)  It
would be desirable for Mozilla to adopt a goal of security.
At the moment, it is written about but not adopted.  If it
were adopted, we could then identify anti-phishing as a
"clear and present danger" to users and then pursue that
as a danger to be addressed.
Having a goal of security forces you to meet the goal.  This
helps because it separates out the distractions from the
important tasks.  In the above, "promote wider use of SSL/TLS"
is a distraction.  Only if it helps security should it be used,
as a tool.  Wider use might actually make things more insecure,
if employed like a hammer on all nails in sight.
Also (annoyingly) we need to differentiate between SSL, TLS,
HTTPS, S/MIME, certs, PKI... in any proposal.  I generally
use SSL to refer to "the lot" and TLS to refer to the raw
protocol, sans certs.  HTTPS as TLS+certs+browsing.
But others do not do that...

4. Eliminate or at least minimize SSL/TLS-related error messages and 
warning dialogs, particularly in cases where they are arguably not 
warranted based on the security risk relative to not using SSL/TLS at all.
OK.

5. Discourage typical users from modifying the default list of "trusted" 
CAs and certificates, in particular by adding new site or CA certs as 
warning dialogs pop up.

Discourage typical users ... Um.  That I'm unsure of.  The
user is king, or queen in cryptoterms.  It may be that the
browser cannot distinguish between "user is told by boss"
and "user is told by phisher" but that isn't really enough
to go on in.

Without further ado, here's the proposal:
* Retain the current Firefox UI when SSL/TLS is not used:
>
  - no padlock or other SSL/TLS-related indicator in status bar
  - location bar background is white
  - site domain name is *not* displayed in the status bar

This I agree with.  I note there is some preference to display
a site domain name even without SSL, as being "this is where
you ended up".  If so, it should be a different colour or the
like.  But, I'd prefer it not to be there at all, for strategic
reasons.

* Retain the current "normal case" SSL/TLS Firefox UI:
  - display locked padlock in status bar
  - location bar background is yellow
  - site domain name from certificate is displayed in status bar
*but* reserve it for the cases where the site's certificate is a 
"high-assurance" certificate from a known CA. (Assume, at least for now, 
that we have a reasonable way to decide whether a given site certificate 
is "high-assurance" or "low-assurance"; see also below.)

OK.  Hopefully we also find out what "assurance" means :-)

We then add the following new SSL/TLS UI cases, for which we do *not* 
use the traditional "padlock" indicator in any form:

* SSL/TLS connection involving a "low-assurance" certificate from a 
known CA:

  - display check mark in status bar (instead of padlock)
  - location bar background may or may not be yellow (this is debatable)
  - site domain name from cert is displayed in the status bar

OK, so if we accept the assumptions (!) then I think you have
this about correct.  The status bar is (for me) Mozilla's
security display, so it should show the domain that the cert
says you got to.  This is valid regardless of the assurance
level, which displays something else.  The yellow location
bar is just another padlock for me, one that is easier to see.

* SSL/TLS connection involving a self-signed certificate or a 
certificate from an unknown CA:

  option 1:
  - display question mark in status bar (instead of padlock)
  - location bar backgr

Re: Strawman proposal for SSL UI changes

[Jean-Marc Desperrier]

Frank Hecker wrote:
That pretty much completes my night-time excursion into the wonderful 
world of Firefox security UI discussions. Feel free to flame away.
A few days ago, I reached pretty similar ideas as a conclusion of the 
recent debatting, reinforced by remembering how valid the old SSL 
usability rant of Matthew Thomas was 
(http://mpt.phrasewise.com/2003/11/11), but had no time to describe it 
in a coherent and convincing way like you just did.

Just a few things :
- There's too many cases. Only experts are actually interested in why 
the site is not secure, just tell the general public that it's not, and 
you have to open the details windows to learn why.
So below I will discuss several ways of restricting the options to a 
minimum.

- I see two parts in this plan. One is introducting the 
"high-assurance"/"low-assurance" distinction, the older is removing all 
warning dialogs nobody reads least understand, and reflecting the 
insurance in the GUI.

There's quite a lot that can be debatted about the 
"high-assurance"/"low-assurance" distinction.
It might be good to implement first the second, and allow more time to 
think about what we want for the first.

- "high-assurance" is something new, I'd see a new icon.
I think the solution is an icon representing a vault, and not a lock for 
"high-assurance". I think it's a symbol everyone understand the meaning 
of without explanation, and it means you don't need to tell some CA you 
removed them the 'lock' list, just that they don't meet the criterium 
for the new 'vault' list. We just need a good vault icon that doesn't 
look like something else for anybody.
That way, we can keep the  lock for the normal SSL case, and not change 
it's meaning with today.

- If we take apart the "high-assurance"/"low-assurance" distinction, I'd 
go even further than you.
I think the binary option is tempting.
It's secure, fully, or it's nothing, and the GUI doesn't show anything.

In any case, we need to limit the case as much as possible, so 
alternatively what I'd see is : nothing/a discreet check mark/lock.

The discreet check mark would be something usually people would not 
notice, it should fail "look for the lock" 
(http://www.gerv.net/security/stay-safe/), but it would keep people 
happy who would find it unfair that any error in the checking means 
there is nothing  in the GUI showing the communication is any different 
from ordinary http. Cliking the "check mark" would show the detail windows.

This said, I'd see a closed eye icon, rather than a check mark for this.
- About the non-matching cert name, many people misconfigure servers, 
it's not definitively showing an attack attempt. That's why, and also in 
order to limit the number of possible case, I'd just remove the warning 
(warning are bad, the blocked popups warning is less bad but is still 
bad), and display the normal GUI as if there's no encryption in that case.
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Duane]

Frank Hecker wrote:
* The only way to add new CAs or server certs or to change the default 
"trust bits" should be through the Firefox preferences UI or (perhaps) 
through a detailed certificate dialog reached by selecting an item from 
the dropdown menu associated with an informational message (if used). 
(This latter option would be similar to the "Edit Popup Blocker Options" 
menu item displayed for the blocked popups informational message.)
There was a bug on bugzilla for this and it has since been marked won't 
fix...

https://bugzilla.mozilla.org/show_bug.cgi?id=276827
You should also have a look at:
https://bugzilla.mozilla.org/show_bug.cgi?id=267515
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security