David E. Ross wrote:
I visit some Web sites with self-signed certificates. None of those
sites request any input from me. The only reason they have site
certificates is that the site owners want to show off how technically
astute they are. Hah! However, those sites do indeed contain
Steffen Schulz wrote:
On 081018 at 20:30, Nelson B Bolyard wrote:
FF3 had utterly failed to convey to her any understanding that she was
under attack. The mere fact that the browser provided a way to override
the error was enough to convince her that the errors were not serious.
I find it
Nelson B Bolyard wrote:
Kaspar Brand wrote, On 2008-10-18 00:18:
Nelson B Bolyard wrote:
Yes. Bad response, ugly errors, no fun.
With the default settings in Firefox 3, it isn't that bad... remember
that it's the graceful failure mode which is selected by default:
Don't forget the OCSP
Ian G wrote:
Steffen Schulz wrote:
I find it amazing that someone shows this level of ignorance but then
manages to file a bugreport... :-)
[...] play with compilers, flags, build own browser,
To provide the output shown at the end of
Ian G wrote, On 2008-10-19 05:09:
Ian G wrote:
Nelson B Bolyard wrote:
KCM would not have helped.
I agree, KCM would not have helped. In both cases, the warnings are
delivered, and the user is given the responsibility for the overrides.
I was thinking about this, and actually, KCM would
Eddy Nigg wrote, On 2008-10-18 20:10:
Requiring a change to about:config would facilitate your needs (because
you have the knowledge to do both - change the config and know what it
means), while still protecting the standard user who neither cares about
security nor has any clue what
Nelson B Bolyard:
Eddy Nigg wrote, On 2008-10-18 20:10:
Requiring a change to about:config would facilitate your needs (because
you have the knowledge to do both - change the config and know what it
means), while still protecting the standard user who neither cares about
security nor has any
Nelson B Bolyard wrote:
Ian G wrote, On 2008-10-19 05:09:
Ian G wrote:
Nelson B Bolyard wrote:
KCM would not have helped.
I agree, KCM would not have helped. In both cases, the warnings are
delivered, and the user is given the responsibility for the overrides.
I was thinking about this,
Ian G:
If the user does not validate, then she has done a bad thing. Yes,
KCM would be at its weakest at that point, but no software tool is
perfect; at some stage we have to ask the user, and then by
definition the software is weak, dependent on the user.
Chiming in here
PKI wasn't
Eddy Nigg:
PKI wasn't meant to facilitate certificates issued from random. PKI is
mean disallow anything it doesn't know and doesn't chain to the root. In
the browser we have many roots, but it's the browser fault to allow the
user to ignore and click all th way through to heaven...or hell.
Ian G wrote, On 2008-10-19 15:17:
Nelson B Bolyard wrote:
KCM would have accepted those certs without any complaint.
Ahhh, not exactly! With KCM, it is not up to it to accept any certs
any time: unfamiliar certs are passed up to the user for validation.
Yes, but the users are
Ian G wrote, On 2008-10-18 12:32:
This is the pathological problem with MITM protection that has
existed from day 1 of SSL: it was a solution in advance of a
problem. Given that the solution was theoretical, and the problem
had no practical existence (until recently), the solution could
Ian G wrote, On 2008-10-19 05:50:
[...] I would like to figure out a nice story that says
use Firefox for all your general browsing ... but use for your
online bank. I just don't know what is.
As much as it pains me to say it, I agree. That is what is needed.
This incident has
Nelson B Bolyard wrote, On 2008-10-19 19:03:
Be careful not to confuse and conflict the MITM detection properties
of SSL with the MITM resistance properties of the browser UI.
s/conflict/conflate/ :(
___
dev-tech-crypto mailing list
Nelson B Bolyard:
This incident has shown that FF3, with its all-too-easy-to-defeat MITM
reporting, is NOT suitable for high-value web transactions such as
online banking.
FF3 is suitable for people on this list. It appears that it's not yet
suitable for the average user. At least FF3
15 matches
Mail list logo
