Re: Crypto and UI issues
-- James A. Donald: My two most recent logins were with First National Bank of Omaha and Your IBM Savings plan Is firstnational.com the same entity as First National Bank of Omaha? Is https://lb22.resources.hewitt.com; the same entity as Your IBM Savings plan From: Ben Laurie [EMAIL PROTECTED] You have logins at banks and IBM? Why is this odd? --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG vIiB5l+AqD0zb/5Uiman/czZN39B7m4WH2QZpIfO 4x4N9LBAgWjrHU1VbWgwgVV103Si9OgUB9fjKdpou - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Crypto and UI issues
On 12/18/05, Ben Laurie [EMAIL PROTECTED] wrote: It would happen at least as much as it happens with https, and it happens enough with https that false negatives enormously outweigh true negatives. True, but I don't see false negatives very often with https at all. And I visit far more web sites than I log into machines with ssh. So, I'm not really buying this. Firefox rarely gives me false negatives. IE tends to be a bit picker. The most common one involves sites that mix http and https on the same page. There's also no way to disable that warning. An expert will reflexively click through a dialog that is almost certainly a false negative. That's just not true. It reminds me of the base-rate fallacy: http://www.raid-symposium.org/raid99/PAPERS/Axelsson.pdf -- http://www.lightconsulting.com/~travis/ -- P=NP if (P=0 or N=1) My love for mathematics is like 1/x as x approaches 0. GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Crypto and UI issues
-- James A. Donald Let us imagine that SSH had certified keys. Well, certifying a key is bound to be complicated, and things are bound to go wrong, and the name that you bind it to is bound to be somewhat shifty. Ben Laurie I don't see why that would happen all that much, It would happen at least as much as it happens with https, and it happens enough with https that false negatives enormously outweigh true negatives. James A. Donald So pretty soon users are frequently seeing error dialogs - and so, pretty soon, are always clicking through them. Ben Laurie Don't really buy this for what is, mostly, a protocol used by experts. An expert will reflexively click through a dialog that is almost certainly a false negative. True names of hosts is not a deep problem. Indeed, it is even possible to discover rigorously but is the host with the true name the entity you have a relationship with? My two most recent logins were with First National Bank of Omaha and Your IBM Savings plan Is firstnational.com the same entity as First National Bank of Omaha? Is https://lb22.resources.hewitt.com; the same entity as Your IBM Savings plan Knowing that I was really and truly connecting to lb22.resources.hewitt.com was not in fact much use at all. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG ez1z37eet0cWwVrNwfCbMCbdIdZ54HnhIA7QnrSN 42IqI9qTDHV9RRUioTTrs3I0W7eyY9zOvBjKSSInB - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Crypto and UI issues
James A. Donald wrote: -- James A. Donald Let us imagine that SSH had certified keys. Well, certifying a key is bound to be complicated, and things are bound to go wrong, and the name that you bind it to is bound to be somewhat shifty. Ben Laurie I don't see why that would happen all that much, It would happen at least as much as it happens with https, and it happens enough with https that false negatives enormously outweigh true negatives. True, but I don't see false negatives very often with https at all. And I visit far more web sites than I log into machines with ssh. So, I'm not really buying this. James A. Donald So pretty soon users are frequently seeing error dialogs - and so, pretty soon, are always clicking through them. Ben Laurie Don't really buy this for what is, mostly, a protocol used by experts. An expert will reflexively click through a dialog that is almost certainly a false negative. That's just not true. True names of hosts is not a deep problem. Indeed, it is even possible to discover rigorously but is the host with the true name the entity you have a relationship with? My two most recent logins were with First National Bank of Omaha and Your IBM Savings plan Is firstnational.com the same entity as First National Bank of Omaha? Is https://lb22.resources.hewitt.com; the same entity as Your IBM Savings plan You have logins at banks and IBM? -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ ** ApacheCon - Dec 10-14th - San Diego - http://apachecon.com/ ** There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Crypto and UI issues
David Mercer wrote: And my appologies to Ben Laurie and friends, but why after all these years is the UI interaction in ssh almost exactly the same when accepting a key for the first time as overriding using a different one when it changed on the other end, whether from mitm or just a key/IP/hostname change? Untrue, something which a moment's checking would have revealed. A brand new key requires user acceptance: The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established. RSA key fingerprint is f2:42:df:b2:6e:1b:8a:ac:96:27:6d:8c:b9:e6:93:a1. No matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)? no Host key verification failed. A changed host key (a much more risky situation) forces the user to manually remove the old key, hopefully forcing them to think about the consequences: @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is f2:42:df:b2:6e:1b:8a:ac:96:27:6d:8c:b9:e6:93:a1. Please contact your system administrator. Add correct host key in /home/djm/.ssh/known_hosts to get rid of this message. Offending key in /home/djm/.ssh/known_hosts:209 RSA host key for 127.0.0.1 has changed and you have requested strict checking. Host key verification failed. -d - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Crypto and UI issues
James A. Donald wrote: -- From: Ben Laurie [EMAIL PROTECTED] if the key changes in OpenSSH you can't connect until you take positive action by deleting the old key from the known_hosts file. This is totally different to accepting a new key. I will agree that something better than just showing you the key would be cool. Like maybe it could be signed by something so you can verify it that way. Oh, wait. That's PKI, and we all know PKI is broken. But in what it is it broken? I was being sarcastic. I don't believe PKI is inherently broken, unlike some. It does have limited uses, though. Let us imagine that SSH had certified keys. Well, certifying a key is bound to be complicated, and things are bound to go wrong, and the name that you bind it to is bound to be somewhat shifty. I don't see why that would happen all that much, and if it did then just certify with multiple hostnames. You might bind the key to ben.com, but then your host is ssh.ben.com. So pretty soon users are frequently seeing error dialogs - and so, pretty soon, are always clicking through them. Don't really buy this for what is, mostly, a protocol used by experts. What is a true name is a deep and difficult question, and one that people have little patience for when trying to log in. We are overloaded with names, with the result that true names are of limited value in ascertaining true relationships. True names of hosts is not a deep problem. Indeed, it is even possible to discover rigorously (if painfully in extereme cases). Cheers, Ben. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Crypto and UI issues
David Mercer wrote: And my appologies to Ben Laurie and friends, but why after all these years is the UI interaction in ssh almost exactly the same when accepting a key for the first time as overriding using a different one when it changed on the other end, whether from mitm or just a key/IP/hostname change? Thanks for the apology, but ... ssh is not my fault. However, I don't really understand the problem here - if the key changes in OpenSSH you can't connect until you take positive action by deleting the old key from the known_hosts file. This is totally different to accepting a new key. I will agree that something better than just showing you the key would be cool. Like maybe it could be signed by something so you can verify it that way. Oh, wait. That's PKI, and we all know PKI is broken. Horrible, horrible UI, and I'm not sure what's worse, that or trying to USE pgp (gpg, whatever) from a command line, or getting it integrated into a gui mail client. Two words: Thunderbird, enigmail. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Crypto and UI issues
On 12/15/05, Ben Laurie [EMAIL PROTECTED] wrote: David Mercer wrote: Thanks for the apology, but ... ssh is not my fault. Sorry, crosswired openssl and openssh in my brain! I will agree that something better than just showing you the key would be cool. Like maybe it could be signed by something so you can verify it that way. Oh, wait. That's PKI, and we all know PKI is broken. Yeah, 'broken' is about the strongest language we'd want to use on a public list, huh? Horrible, horrible UI, and I'm not sure what's worse, that or trying to USE pgp (gpg, whatever) from a command line, or getting it integrated into a gui mail client. Two words: Thunderbird, enigmail. Sorry, I've become totally addicted to gmail and just can't imagine being tied down to a single desktop machine. Not that gmail is the end all be all of webmail or anything, and I'm not completely sure how far I trust them, but they are top dog right now for email in my book. -David Mercer Tucson, AZ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Crypto and UI issues
-- From: Ben Laurie [EMAIL PROTECTED] if the key changes in OpenSSH you can't connect until you take positive action by deleting the old key from the known_hosts file. This is totally different to accepting a new key. I will agree that something better than just showing you the key would be cool. Like maybe it could be signed by something so you can verify it that way. Oh, wait. That's PKI, and we all know PKI is broken. But in what it is it broken? Let us imagine that SSH had certified keys. Well, certifying a key is bound to be complicated, and things are bound to go wrong, and the name that you bind it to is bound to be somewhat shifty. You might bind the key to ben.com, but then your host is ssh.ben.com. So pretty soon users are frequently seeing error dialogs - and so, pretty soon, are always clicking through them. What is a true name is a deep and difficult question, and one that people have little patience for when trying to log in. We are overloaded with names, with the result that true names are of limited value in ascertaining true relationships. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG Ot8xxQDU9pyVndHTn5kzTOr2CRK60LeWklc4NDLR 4M3vcDbhvr3PhPb10v1p7VO47zgc7ubuUbnhrhoXa - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Crypto and UI issues
(Hopefully this is sent as ascii, as I had previously set my gmail to send in utf-8 encoding, as I often send email in french as well as english. -djm) On 12/11/05, James A. Donald [EMAIL PROTECTED] wrote: It is not my position that inability to sign means that the chairman of the board is stupid. It is that cryptographic signatures are too @#$%^* hard and need to be made user friendly. First write software that is easy enough for your mother. Then we can work on making it easy enough for the marketing department. And then we can work on making it easy enough for realtors! Seriously, that long ago became my off the cuff usability test: they seem to have a harder time figuring out user interfaces that my 75 year old grandmother, or the marketing folks for that reason. Sales people are actually fairly easy to train on any given UI, so long as you instill the proper fear into them (if you don't do this right, your competitor will steal your customer list, and there go all your commisions). It's harder to get marketing people on board like that, as they don't have the same direct financial levels to attack with pavlovian fear conditioning, and CEO's are really bad, as they are used to having secretaries do everything 'hard' with their communications gear, even in the pre-computer era, and also are accustomed to a coterie of handlers and PR people going around and cleaning up any messes they inadvertently make. But realtors, that's been my personal acid test to see if a UI is truly easy to use. Seriously. And my appologies to Ben Laurie and friends, but why after all these years is the UI interaction in ssh almost exactly the same when accepting a key for the first time as overriding using a different one when it changed on the other end, whether from mitm or just a key/IP/hostname change? Horrible, horrible UI, and I'm not sure what's worse, that or trying to USE pgp (gpg, whatever) from a command line, or getting it integrated into a gui mail client. /ui rant - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]