Ian Grigg wrote:
2. This policy seems to have arisen alongside or
from a closed meeting of a month or so ago. Duane
(representing a CA of 2000 members) didn't get
invited to the closed meeting of CAs and browser
manufacturers. No minutes, no agenda, no published
results. There is only one
Ian Grigg wrote:
On the notion of common and consistent security
UI policy - how is that any different to follow the
leader ? It's synonymous as far as I can see it.
sigh
The implication of the phrase follow the leader is that we are just
doing what others are doing simply because they are
Ian Grigg wrote:
This is
clearly not the case - in partnership with the other browser vendors, we
are together working out the most appropriate UI and then all
implementing it.
This is news. Are you intending to announce this or
does it remain embargoed ? What is clear about it?
Who's in
Ian Grigg responded to Gerv:
Amir Herzberg wrote:
So, Mozilla plays `follow the leader`? Nice to know. Not exactly the
original goal of the project, was it?
Up to this point, our discussions have been reasonably civil, but now
you are just throwing clearly ridiculous assertions around.
Guys,
this will be my last post, for reasons that I hope are
clear. If anyone wants to discuss phishing, let me
know. I'm hopeful a specialist list for cross-fertilisation
of phishing efforts will pop up soon.
On Saturday 25 June 2005 23:07, Gervase Markham wrote:
Ian Grigg wrote:
On the
Amir Herzberg wrote:
So, Mozilla plays `follow the leader`? Nice to know. Not exactly the
original goal of the project, was it?
Up to this point, our discussions have been reasonably civil, but now
you are just throwing clearly ridiculous assertions around.
Having a common and consistent
Amir Herzberg wrote:
So, Mozilla plays `follow the leader`? Nice to know. Not exactly the
original goal of the project, was it?
Up to this point, our discussions have been reasonably civil, but now
you are just throwing clearly ridiculous assertions around.
Having a common and
On Friday 24 June 2005 09:50, Gervase Markham wrote:
Amir Herzberg wrote:
So, Mozilla plays `follow the leader`? Nice to know. Not exactly the
original goal of the project, was it?
Up to this point, our discussions have been reasonably civil, but now
you are just throwing clearly
Gervase Markham wrote:
To be safe, the user must verify that
SSL is enabled and that the displayed domain name exactly matches the
expected domain name (which implies that the user has also discovered
and memorized the correct domain name).
I don't think that's particularly unreasonable.
Ian G wrote:
As far as I know it was Netscape that invented SSL. They picked a scheme
that was provably secure (from math point of view), which was good.
Yes, it was Netscape. The first version was not so good,
so I hear, and SSL v2 was pretty good and that stuck well
enough to last until
Hi Amir,
I missed you at the TIPPI workshop. It's too bad you weren't able to
attend. There was some interesting data presented; some of which is
directly relevant to TrustBar. See below.
On 6/21/05, Amir Herzberg [EMAIL PROTECTED] wrote:
4. No (or minimal) input from user.
Agreed; and
Tyler Close wrote:
The current SSL UI requires substantial
user input on every site visit.
It requires user action, not user input. There is a difference.
To be safe, the user must verify that
SSL is enabled and that the displayed domain name exactly matches the
expected domain name (which
Tyler Close wrote:
The user could mistype the URL. To take a recent example, it appears
Amir, a security researcher, mistakenly typed in citybank.com, instead
of citibank.com. Similar things happen with all sorts of domain names.
On Friday, I mistakenly typed in planetlab.org instead of
Tyler Close wrote:
The study results were presented at the workshop, but the authors have
not yet published a paper, so I can't provide a link as yet.
Exactly how useful this test was depends entirely on what instruction
the users were given on how to use the anti-phishing features of the
Tyler Close wrote:
A reasonable conclusion to draw from the MIT study is that if the user
is not actively involved in the protection mechanism, he will ignore
it.
How is that a reasonable conclusion from anything? A user isn't actively
involved in his car's airbag, but it still protects him
On Wednesday 22 June 2005 18:09, Gervase Markham wrote:
Tyler Close wrote:
A reasonable conclusion to draw from the MIT study is that if the user
is not actively involved in the protection mechanism, he will ignore
it.
How is that a reasonable conclusion from anything? A user isn't
Gervase Markham wrote:
Heikki Toivonen wrote:
So that is why the status bar and title bar are the only places where
security indicators can go and be available even if the site tries to
muck with things.
There is also the not-insignificant factor that IE has chosen the status
bar as their
I think all five criteria below are correct. I also believe we will meet
all of them in our next release (in testing) of TrustBar, and meet
almost all even in our current release (which has many downloads, happy
users). Here are details:
Heikki Toivonen wrote:
Ka-Ping Yee wrote:
1. We
Ian G wrote:
Coupled with the emphasis on the search for the
revenue stream and a bunch of crypto venders who
thought their time had come, the scene was set for a
very big approach to this threat. They didn't adopt
the original threat model, but picked up a military-
inspired threat model -
On 6/18/05, Heikki Toivonen [EMAIL PROTECTED] wrote:
4. No (or minimal) input from user.
To drive home just how misguided this requirement is, I'd like to
share with you some data from a recent anti-phishing workshop at
Stanford.
At the TIPPI workshop, a user study was presented that
Tyler Close wrote:
Maybe you weren't paying attention, or maybe the word input is not as
precise as I thought it is. I said *input* - meaning the user must
enter some data to the system.
Ah, I see. So if we demand users memorize and verify identification
credentials, instead of providing the
Hi Heikki,
On 6/19/05, Heikki Toivonen [EMAIL PROTECTED] wrote:
Tyler Close wrote:
On 6/18/05, Heikki Toivonen [EMAIL PROTECTED] wrote:
4. No (or minimal) input from user.
At the TIPPI workshop, a user study was presented that showed that
passive anti-phishing tools such as those
Hi Heikki,
I want to try to summarize some of the criteria you have mentioned so far.
Two issues you mentioned were privacy concerns and screen real estate.
I would like to add to this a requirement for practical deployability.
What do you think of the following:
1. We want an antiphishing
Heikki Toivonen wrote:
Ka-Ping Yee wrote:
1. We want an antiphishing tool that does not transmit a record
of the user's browsing activity.
Good.
2. We want an antiphishing tool that occupies modest or minimal
screen space.
Good.
3. We want an antiphishing
On 6/18/05, Heikki Toivonen [EMAIL PROTECTED] wrote:
I think a fourth point is required as well:
4. No (or minimal) input from user.
Current SSL system generally requires no input from user (exceptions are
when some problem with the certificate the server presents).
The above
Michael Vincent van Rantwijk wrote:
4. The Mozilla Foundation wants an anti phishing tool that will most
likely only be noticed when you turn your monitor up side down i.e. in
the status bar instead of the location bar!
If Mozilla Foundation and Mozilla developers could change the world
26 matches
Mail list logo
