[cap-talk] Firefox breaks the principle of identifiability

[marcs]

> As this is security, we can't just develop a theory,
> try it and hope it works.  The active aggressor has
> an ability to change our security by hitting our
> assumptions.  It's unlike physics where the bridge
> we build today has to face the same wind and rain
> in 10 years time as today.

Yes. Aggressors will adapt. This is so correct, I want to apply it to your
next paragraph :-)

> 
> A much better approach is to work with small
> changes in what we have available.  For example,
> the simple change to Firefox 1.0 that makes the
> URL bar yellow on SSL will (IMHO) do more to
> defend against phishing than the more complete
> approaches developed here - simply because it
> is there, and in the hands of users.

A simple change that is easily adapted to by the aggressor might be useful
enough to justify in terms of short-term improvement.  Usually not, but one
can do a cost/value comparison. Whatever the cost/value comparison delivers
in the short term, however, is overwhelmed by which of three other
categories the change falls into:

-- It is a step towards a real, complete solution. We are trying to propose
a system, based partly on pet names and partly on other machinery, that
could be a complete solution. If we identify such a solution, and identify a
part of that solution that is quickly deployable that has immediate benefit,
that is a huge victory.

-- It is a step away from a real, complete solution. If you come up with a
plan that has short term benefit, but makes it even harder to get to any of
the known real solutions, this is a disaster. Stop immediately :-)

-- It is a step sideways compared to a real, complete solution. Do the cost
benefit analysis to see if it's worth doing, but don't get confused and
think you've done something important.

"Progress is not so much a matter of improving what you have, as of taking a
step towards what must be."

--marcs