[cap-talk] Firefox and identifiability, small steps or large

Ian G iang at systemics.com
Wed Feb 9 16:42:08 EST 2005 

Ka-Ping Yee wrote:

>On Wed, 9 Feb 2005, Ian G wrote:
>  
>
>>>To make this concrete, suppose that Alice doesn't trust VeriSign
>>>because she knows that they have been screwing over the Internet
>>>for their own selfish purposes.  But Alice wants to do business
>>>with Paypal.  https://paypal.com/ presents a certificate signed
>>>by VeriSign.  So if she wants to communicate securely with Paypal,
>>>she is forced to trust VeriSign in order to do so.
>>>      
>>>
>[...]
>  
>
>>2. Alice doesn't have a right to access any given site on her terms.
>>    
>>
>
>Perhaps we're aiming for different things here.  I do think that Alice
>should have the right to *identify* any given site on her own terms.
>  
>

Right, as long as that doesn't extent to making
the site choose her favourite CA.  The way I
see the scenario you outlined is that she faces
a choice like:

    1.  no CA sig on the cert, in which case she is
         on her own to do the Introduction, and
         there on after she is safe, based on her
         successful intro, using some other technique.

    2.  CA-Mallory signs the cert, in which case,
         Alice is very unhappy, but the Introduction
         reduces to case 1.  She uses other techniques.
         Now, there on after, she has to set her
         browser to distrust the CA-Mallory as a
         CA, as otherwise she is now vulnerable to
         a false cert attack from CA-Mallory.

    3.  CA-Trent signs the cert, in which case she
         is happy.

So, the way I see it, if Alice comes up against
CA-Mallory, the situation reverts to Case 1,
in which case she can only identify the site
on her own terms.  I don't think she has a
right to expect Case 3, or at least I can't see
how she could expect it, given that Certs cost
money.

>>>For Alice to be placed regularly or frequently in the position of
>>>having to rely on CAs that she doesn't know or doesn't trust is
>>>dangerous.  If she is forced to do this often enough, she may
>>>learn to ignore the CA logo.
>>>      
>>>
>>I think the security equation is better for the
>>logo of the CA being there than not.  If she
>>then learns to ignore the logo, and then she
>>is phished, because the logo changed ... well,
>>the browser did its best.
>>    
>>
>
>I agree that the TrustBar offers the *possibility* of a benefit for
>users that know all the CAs, pay attention, etc.  What i'm suggesting
>here is that, for most users, this benefit may be reduced near zero
>by the fact that most users will not memorize the logos or names of
>all the popular CAs.  Consequently, they will ignore the CA indicator,
>thereby allowing phishers to use self-signed certificates to spoof
>the first indicator (the domain name/logo).
>
>Is this better than what we have now?  Maybe, but it's hard to say.
>  
>

OK, let me drift here into why logos are better
than pet names.  It's easiest to say from these
words:  TV, movies, brands, fashion, marketing.

All these things use visual information to get a
message across.  The reason they use a visual
symbol is because it is much higher bandwidth
and much more efficient than almost any other
form.

Consider this test.  Glance at a well branded
item.  How long did it take you to pick it as a
well branded item?  About 100ms would do it,
but what's even better is that the brain can
do this in parallel ... many images at once.

Meanwhile, try doing the same thing with words.
For a start, most (not all) people read words
serially.  Then, people read at about a few words
per second.

In the time taken to express a warm fuzzy feeling
with words is about 10 seconds (think radio
jingles) whereas with an image you can do it
in 2 orders of magnitude less.  There's a reason
why it is illegal to put subliminal images in movies,
for example...

Or, consider another example:  Most traffic signals,
warning signals, etc, are based on colour and
symbols.  About the only one that is not is the
STOP sign, which is used even in many countries
where stop is not a local word!

(It took me months to work out why they have
these pretty Xing signs in the US...  I thought
it was a wierd advertising campaign or something)

Oh, one final thing:  remember the target market.

It isn't us people who deal with newspapers, write
email all day, and play mozart.  It's people who
watch TV all day, and go to sports and worry
about which magazine one weight reduction to
buy.  A very different market to the technical
world.  These people deal in images, simply
because they want their info fast and simple.



>On the one hand, you have the domain name in the URL, which is not
>spoofable as long as the browser displays the field in a clear font
>and IDN is disabled.  (Or perhaps you are using SpoofStick and the
>domain name is displayed in huge letters.)  Then you are relying on
>the trustworthiness of the CAs on the browser's internal list.
>
>On the other hand, you have the logos in the TrustBar.  The logos are
>easier to see, but they are also fully spoofable unless you have
>memorized the list of CAs, and even then you are out of luck if the
>site you're visiting isn't among them.
>  
>

No, the logos of the CAs can resist spoofing because
they can be signed by the CA and/or delivered
with the root list or the TrustBar.  There's only
a hundred or so.

If you visit a site where you come across a new CA,
and you see a new logo, well, you're not exactly out
of luck, you just got told you're in new territory.
Which is exactly what you want - a warning that the
locals look a bit shifty around here.

Then there are the logos that you select for the site.
Now, it seems that this is the same logic as for pet
names.  The user chooses a logo.  In this sense
instead of seeing a pet name in the bar, the user
sees the logo she chose.  If the logo is spoofable,
then I imagine the pet name is spoofable by the
same mechanism, no?

This is why I say that the Trustbar dominates the
pet names plugin - it uses the logos under user
selection, *and* they are logos which are much
better than words.



>Both options seem fairly weak to me.  Petnames seem more promising,
>if we can come up with a design that people will use properly.
>  
>

Still, what is really needed is to experiment with
them both side by side.Perhaps you could consider
expanding your trial design to trying out each of
the alternates?  Asking a lot, I know.

iang

-- 
News and views on what matters in finance+crypto:
        http://financialcryptography.com/

More information about the cap-talk mailing list