Re: Disallowed company name

2018-06-03 Thread Lee via dev-security-policy 
On 6/1/18, Ryan Sleevi wrote:
> On Fri, Jun 1, 2018 at 9:14 AM, Peter Kurrasch wrote:
>
>> Security can be viewed as a series of AND's that must be satisfied in
>> order to conclude "you are probably secure". For example, when you browse
>> to an important website, make sure that "https" is used AND that the
>> domain name looks right  AND that a "lock icon" appears in the UI AND,
>> if the site uses EV certs, that the name of the organization seems
>> correct. Failing any of those, stop immediately; if all of them hold
>> true, you are probably fine.
>
> Note that research has shown

citation required

> that your first,
>> make sure that "https" is used

trivially easy after one adds the line
  user_pref("browser.urlbar.trimURLs", false);
to user.js.

> second,
>> the domain name looks right

easier after one adds the line
  user_pref("network.IDN_show_punycode", true);
to user.js & while not so easy on your first visit, trivially easy thereafter.

> third,
>> a "lock icon" appears

trivially easy

> and fourth options
>> the name of the organization seems correct

a problem on your _first_ visit.

> are all unreasonable requests of humans trying to be productive.

They wouldn't be so unreasonable if Mozilla had picked better defaults.

Lee
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Disallowed company name

2018-06-03 Thread Peter Gutmann via dev-security-policy 
Matthew Hardeman  writes:
>>On Thu, May 31, 2018 at 8:38 PM, Peter Gutmann 
>>wrote:
>>
>>>Banks, trade vendors, etc, tend to reject accounts with names like this.
>>
>>Do they?
>>
>>https://www.flickr.com/photos/nzphoto/6038112443/
>
>I would hope that we could agree that there is generally a different risk
>management burden in getting a store loyalty tracking card versus getting a
>loan or even opening a business demand deposit account.

I haven't gone through the full process of opening an account since I didn't
want to actually open a real account, but got most of the way through with
Bobby Tables, so it seems possible here.  The account name is pretty much
irrelevant, all that matters is the account number.  Then on making a payment
you get texted the details of the transaction (to/from/amount/etc) and asked
to approve it.  The name never crops up.

In terms of tax filing it's the same, what matters is your taxpayer number,
not whether you want to file your return as Mister Mxyzptlk.

Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy