[16796] in cryptography@c2.net mail archive
Re: Can you help develop crypto anti-spoofing/phishing tool ?
daemon@ATHENA.MIT.EDU (Daniel Carosone)
Fri Feb 4 12:32:29 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 3 Feb 2005 16:45:13 +1100
From: Daniel Carosone <dan@geek.com.au>
To: Ian G <iang@systemics.com>
Cc: cryptography@metzdowd.com
Mail-Followup-To: Ian G <iang@systemics.com>,
cryptography@metzdowd.com
In-Reply-To: <4201A112.4000609@systemics.com>
--WcQ7DTTOeW3GIUV5
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Feb 03, 2005 at 03:57:06AM +0000, Ian G wrote:
> Daniel Carosone wrote:
>=20
> >Other merits of the idea aside, if the user knows the CA is untrusted,
> >what's it doing in the browser's trust path?
>=20
> The user doesn't select the trust path, the browser manufacturer
> does.=20
> [..]
> How do you suggest the user deals with this list? Given that the
> average list has 100+ entries...
That was a very large part of my point.. :)
[As an aside, pruning the ca trust list is a common hardening
recommendation for those building corporate SOE lockdowns and similar
platforms, where the organisation is making a trust decision for the
user differently than the browser maker is.]
> What Amir and Ahmad are looking at is showing the CA as part of the
> trust equation when the user hits a site. Some CAs will enter the
> user's consciousness via normal branding methods, and new ones will
> trigger care & caution. Which is what we want - if something
> strange pops up, the user should take more care.
I appreciate what they're trying to do, and think it has merits I'm
not in any way trying to diminish.
I just don't see a great history of success with the general user
populace reading and thinking and reacting properly to security
popup warnings of any kind.
The smart, security-conscious and PKI-aware users who can recognise
good CA's from bad will not be falling for phishing scams in the first
place. The user who's already some way down the path of falling for
one is unlikely to make a better choice even when you give them
another popup, though there's a chance it might help at least
somebody, and we should surely take that chance.
If the users could make appopriate CA trust choices, having the
browser manufacturers prepopulate a list of potentially-trusted CAs,
with a popup asking for a trust approval the first time a site
presents a cert in that path, might work. Likewise, something that
remembered cert fingerprints and CA path for "known trusted sites",
vaguely a'la ssh, and popped up an appropriate warning when something
changes, might work for such a smart user. Even so, most of the
popups they see are going to be for legitimate cases of cert renewals
or ICA changes or server load-balancers or .. whatever else.
What's really needed is a way to help them make fewer, better
decisions, rather than more decisions. Wish I knew how..
--
Dan.
--WcQ7DTTOeW3GIUV5
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (NetBSD)
iD8DBQFCAbpoEAVxvV4N66cRAhoZAJ9eBhRFTrVkbxwXo1SJHAWiorjF7ACfVo4e
08iWSrcaMH9nk+5DJAXdIfI=
=sUY7
-----END PGP SIGNATURE-----
--WcQ7DTTOeW3GIUV5--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
