[cap-talk] Firefox and identifiability, small steps or large

Ka-Ping Yee cap-talk at zesty.ca
Wed Feb 9 15:17:10 EST 2005 

On Wed, 9 Feb 2005, Ian G wrote:
> >To make this concrete, suppose that Alice doesn't trust VeriSign
> >because she knows that they have been screwing over the Internet
> >for their own selfish purposes.  But Alice wants to do business
> >with Paypal.  https://paypal.com/ presents a certificate signed
> >by VeriSign.  So if she wants to communicate securely with Paypal,
> >she is forced to trust VeriSign in order to do so.
[...]
>
> 2. Alice doesn't have a right to access any given site on her terms.

Perhaps we're aiming for different things here.  I do think that Alice
should have the right to *identify* any given site on her own terms.

> >For Alice to be placed regularly or frequently in the position of
> >having to rely on CAs that she doesn't know or doesn't trust is
> >dangerous.  If she is forced to do this often enough, she may
> >learn to ignore the CA logo.
>
> I think the security equation is better for the
> logo of the CA being there than not.  If she
> then learns to ignore the logo, and then she
> is phished, because the logo changed ... well,
> the browser did its best.

I agree that the TrustBar offers the *possibility* of a benefit for
users that know all the CAs, pay attention, etc.  What i'm suggesting
here is that, for most users, this benefit may be reduced near zero
by the fact that most users will not memorize the logos or names of
all the popular CAs.  Consequently, they will ignore the CA indicator,
thereby allowing phishers to use self-signed certificates to spoof
the first indicator (the domain name/logo).

Is this better than what we have now?  Maybe, but it's hard to say.

On the one hand, you have the domain name in the URL, which is not
spoofable as long as the browser displays the field in a clear font
and IDN is disabled.  (Or perhaps you are using SpoofStick and the
domain name is displayed in huge letters.)  Then you are relying on
the trustworthiness of the CAs on the browser's internal list.

On the other hand, you have the logos in the TrustBar.  The logos are
easier to see, but they are also fully spoofable unless you have
memorized the list of CAs, and even then you are out of luck if the
site you're visiting isn't among them.

Both options seem fairly weak to me.  Petnames seem more promising,
if we can come up with a design that people will use properly.


-- ?!ng

More information about the cap-talk mailing list