"Steven M. Bellovin" wrote: > Please don't take this personally...
None taken here either, and I'm the author :) > >From a security point of view, why should anyone download any plug-in > from an unknown party? In this very specific case, why should someone > download a a plug-in that by its own description is playing around in > the crypto arena. They probably shouldn't. Unless they've conversed with me at length and decided that I'm nice, or they download the JAR and vet the code themselves. IMO this is just something that takes time. If I work on SSLbar (or other plugins) long enough, and they get used, I cease to be an unknown party... It'd probably help if I signed the thing, too :) > How do we know it's not going to steal keys? Is the > Mozilla API strong enough that it can't possibly do that? Presumably it is strong enough to stop that, but I haven't pushed it yet (you're talking about personal certs installed in Mozilla, yes?). > Is it > implemented well enough that we trust it? (I see that in this case, > the guts of the plug-in are in Javascript. Given how often Javascript > has played a starring role in assorted security flaws, that doesn't > reassure me. But I do appreciate open source.) Security problems with JavaScript are directly related of the context (or lack thereof) in which the code is run. The entire UI of Mozilla is actually bolted together with JavaScript, including the existing SSL certificate properties pages. Unzip the pippki.jar file in your mozilla/chrome directory and take a look at content/pippki/viewCertDetails.js and viewCertDetails.xul - this is code for viewing certs that comes with Mozilla. As far as I am aware, you can't access any of the juicy stuff from within eg: a web page, only from within toolbars and other UI overlays. Regarding the usefulness of SSLbar itself, its immediate purpose was fingerprint display, as a (theoretically) easy means of checking a cert's validity yourself, rather than relying on a third party signing. That list of "officially sanctioned CAs" that comes with browsers just keeps getting longer and longer. I don't know who the hell any of those organizations are, or what their policies are... Anyway, SSLbar could be made much more useful if I were to have it (somehow) cache fingerprints or certs, and a flag to indicate whether the user has validated them. Implementing this requires further investigation however, and I've just been pointed at this list and it's archive, so I have some more reading to do :) Regards, ML --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]