[16809] in cryptography@c2.net mail archive
Re: Can you help develop crypto anti-spoofing/phishing tool ?
daemon@ATHENA.MIT.EDU (Ed Gerck)
Fri Feb 4 12:46:10 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 03 Feb 2005 11:29:08 -0800
From: Ed Gerck <egerck@nma.com>
To: cryptography@metzdowd.com
In-Reply-To: <4201340A.3030505@cs.biu.ac.il>
Amir Herzberg wrote:
> We develop TrustBar, a simple extension to FireFox (& Mozilla), that
> displays the name and logo of SSL protected sites, as well as of the CA
> (so users can notice the use of untrusted CA). I think it is fair to say
> that this extension fixes some glitches in the deployment of SSL/TLS,
> i.e. in the most important practical cryptographic solution.
Yes, because it makes the user notice what CAs the _browser_ has
decided the user _automatically_ accepts [1]. But there is a caveat. Can
you trust what trustbar shows you? And, of course, knowing what CA
is being used is also possible without trustbar but requires a couple
mouseclicks. Wouldn't it be better if Firefox/Mozilla simply
put the name of the CA next to the lock icon?
Cheers,
Ed Gerck
[1] see corresponding flaws noted in
http://nma.com/papers/certover.pdf
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
