[cap-talk] Firefox breaks the principle of identifiability
Ian G
iang at systemics.com
Mon Feb 7 19:06:32 EST 2005
Mark S. Miller wrote:
> Ka-Ping Yee wrote:
>
>> Pet names would be a good step toward a solution of this problem.
>> However, i'm inclined to think that Unicode domain names are just
>> inherently insecure and should not be used. Even if users learn
>> to identify sites with pet names, they are still vulnerable to
>> confusion if they look at the location bar, read the name there,
>> and type it into the location bar later.
>>
>> What do you think of this problem?
>
>
> How is it that Pet Names don't solve this problem?
>
> Ian G wrote:
> > You need more than just pet names. The central
> > issues surround the domain as a trust vector,
> > and its relationship to the certificate. If the
> > domain matches ("is signed by") the cert, then
> > it is accepted, and that domain is good.
>
> Huh? How is it that Pet Names don't solve this problem?
>
Firstly, as above, the browser needs to index from the cert,
and currently does not. (I'm not sure what amount of work
is required for this, but I'd anticipate some work there.)
Secondly, petnames may "solve" the problem in theory, but are
not as well as logos. The ergonomics of graphical presentations
work much better than just words. Intiutivelly, just looking
at the research done on the graphical presentations indicates
that, and there's been no research done on the effect of the
petnames to my knowledge.
The main issue here is that petnames are just one idea that
could assist. What will be required is experimentation along
different lines, trying petnames along side other methods.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
More information about the cap-talk
mailing list