[cap-talk] SSL protection racket
James A. Donald
jamesd at echeque.com
Tue Feb 26 16:30:59 EST 2008
John McCabe-Dansted wrote:
> Just use http. I've often browsed https websites, and
> Firefox tells me they have some security problem. But
> Firefox never tells me that http sites have security
> problems!
>
> Clearly http is much more secure. ;)
It is entirely unreasonable to expect the user to think
about the security properties and characteristics of his
connection, when he is using the connection to do
something.
Rather, whenever we deal with shared secrets such as
passwords a special UI should come up, and whenever we
are logged in a slightly different UI should come up
showing our login state, showing that this page is on a
login connection to so and so. We can reasonably expect
the user to think of a logged in connection as special,
and a web page that does a login or such as special, but
cannot expect him to consciously think of an https
connection as special.
At present, if you are logged in to the
BankOfAmerica.com, and while logged in you browse to
FreePorn.com, the script in the web page FreePorn.com
can perform operations on your account as you. This
flaw is the result of implementing security as a
security layer. The problem occurs because the concept
of a logged in page is not available at level of the
TLS/SSL layer. Cryptographers tend to think: "Hey,
if we have a secure authenticated connection, the job
is done, and all works perfectly. Any problems that
happen, are not problems with the cryptography,
because the application and the user behavior should be
adapted to the characteristics of the channel, instead
of the other way around."
More information about the cap-talk
mailing list