On Tue, Jan 8, 2013 at 1:28 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
Ben Laurie b...@links.org writes:
I've snipped most of this because, although it'd be fun to keep going back and
forth, I'm not sure if everyone else wants to keep reading the exchange (Ben,
we'll continue it over
On Tue, Jan 8, 2013 at 8:40 AM, ianG i...@iang.org wrote:
IMO, the answer to phishing is to solve the password problem, and the
solution to the password problem is really good password managers. But
I haven't had much luck selling that solution. Probably because,
rather like Peter's solution,
On 2013-01-08 7:26 PM, Ben Laurie wrote:
Modulo CAs not working correctly, this is what SSL does. So long as
you define the right server as being the one with the domain name
you navigated to.
Domain names are lengthy and not all that human memorable.I logon to
citicard, the correct
On Tue, Jan 8, 2013 at 11:42 AM, James A. Donald jam...@echeque.com wrote:
On 2013-01-08 7:26 PM, Ben Laurie wrote:
Modulo CAs not working correctly, this is what SSL does. So long as
you define the right server as being the one with the domain name
you navigated to.
Domain names are
ianG wrote:
On 8/01/13 15:16 PM, Adam Back wrote:
[...] a story about how their bank is just totally
hopeless.
[...]
So. Totally hopeless. A recipe for disaster.
Obviously we cannot fix this. But what we can do is decide who is
responsible, and decide how to make them carry that
On Sun, Jan 6, 2013 at 11:20 PM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Ben Laurie b...@links.org with:
a) I don't believe your figures,
Well I don't believe in the tooth fairy, but in this case you're going to have
to provide a more convincing rebuttal than I choose not to believe in
On 7/01/13 13:25 PM, Ben Laurie wrote:
On Sun, Jan 6, 2013 at 11:20 PM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Ben Laurie b...@links.org with:
I suspect you don't understand CT - perhaps you'd care to explain why it is
PKI-me-harder?
Because it's a band-aid on a mechanism that
On Mon, Jan 7, 2013 at 5:32 PM, Guido Witmond gu...@wtmnd.nl wrote:
What I read from the certificate-transparency.org website is that it intends
to limit to Global CA certificates. I would urge mr Laurie and Google to
include all certificates, including self-signed. It would increase the value
Ben Laurie b...@links.org writes:
On Sat, Jan 5, 2013 at 1:26 PM, Peter Gutmann pgut...@cs.auckland.ac.nz
wrote:
In the light of yet another in an apparently neverending string of CA
failures, how long are browser vendors going to keep perpetuating this PKI
farce? [0]. Not only is there no
Certificate Transparency is a real security measure that is a response by a
browser vendor.
So the response to the repeated failure of browser PKI is PKI-me-harder.
Yeah, that's really going to make users safer.
I don't see why CT is PKI-me-harder. EV or BR would fall into that
category.
On Sun, Jan 6, 2013 at 1:15 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
Ben Laurie b...@links.org writes:
On Sat, Jan 5, 2013 at 1:26 PM, Peter Gutmann pgut...@cs.auckland.ac.nz
wrote:
In the light of yet another in an apparently neverending string of CA
failures, how long are browser
Ben Laurie b...@links.org with:
a) I don't believe your figures,
Well I don't believe in the tooth fairy, but in this case you're going to have
to provide a more convincing rebuttal than I choose not to believe in this
inconvenient information.
I suspect you don't understand CT - perhaps you'd
On 2013-01-07 9:20 AM, Peter Gutmann wrote:
I'll update it as soon as browser PKI starts working (meaning that we have
real evidence that it's effectively preventing the sorts of things attackers
are doing, phishing and so on). Deal?
The fundamental cause of phishing is that it is so easy to
There are two long-term trends that might inform this argument.
1. Vendors have typically refused to improve the model of browser
security if it has involved changes to the model. There is a long
history of people providing suggestions, papers and code, and the
vendors have ignored them.
In the light of yet another in an apparently neverending string of CA
failures, how long are browser vendors going to keep perpetuating this PKI
farce? [0]. Not only is there no recorded instance, anytime, anywhere, of a
browser certificate warning actually protecting users from harm [1], but the
15 matches
Mail list logo