[16879] in cryptography@c2.net mail archive
Re: A cool demo of how to spoof sites (also shows how TrustBar
daemon@ATHENA.MIT.EDU (Amir Herzberg)
Thu Feb 10 13:36:45 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 10 Feb 2005 10:10:04 +0200
From: Amir Herzberg <herzbea@macs.biu.ac.il>
To: Taral <taral@taral.net>
Cc: Ian G <iang@systemics.com>, cryptography@metzdowd.com
In-Reply-To: <20050209230426.GB19199@yzma.clarkk.net>
Taral wrote:
> On Wed, Feb 09, 2005 at 09:08:45PM +0000, Ian G wrote:
>
>>The plugin is downloadable from a MozDev site,
>>and presumably if enough attention warrants it,
>>Amir can go to the extent of signing it with a
>>cert in Mozilla's code signing regime.
This, of course, is up to Mozilla, not to me... We are trying to get
Mozilla (and other browsers) to adopt the idea. I guess, once they do,
they'll do a review and then sign, as first step towards integrating it
into the browser package (you can't expect to protect all/most users,
including naive, with an extension - signed or not...).
>
>
> That only authenticates that Amir wrote the code, not that the code is
> safe.
Absolutely! And I didn't write the code, btw, Ahmad did. I'm just
writing designs, protocols, proofs, papers... (I like programming but
rarely get to it, I'm afraid).
>
>>Also, as Amir is a relatively well known name in
>>the world of crypto I suppose you could consider
>>his incentives to be more aligned with delivering
>>good code than code that would do you damage.
thanks!
>
> *This* is a reasonable argument, but I'd prefer a second-party review
> before I install anything.
Of course; again: by posting on this list I am exactly encouraging
people to review the code (it is all script so you can just download
TrustBar and read it), write their own better code, etc...
Best, Amir Herzberg
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
