On 25/04/2014 18:40 pm, Tony Arcieri wrote:
> On Fri, Apr 25, 2014 at 3:10 AM, ianG <[email protected]
> <mailto:[email protected]>> wrote:
>
> Worse, consider Firefox's behaviour: it considers a certificate-secured
> site such as a self-cert'd site to be dangerous, but it does not
> consider a HTTP site to be dangerous. So it tells the user HTTP is
> safe, whereas an attempt to secure means that the user is being robbed!
>
>
> I actually brought this up with one of Chrome UX engineers, specifically
> how to Joe User the address bar makes it appear that plaintext HTTP is
> more secure than HTTPS with an untrusted cert. While one is MitM-able by
> an active attacker, the other is most certainly being passively MitMed
> by someone! :O
>
> The response was that users have an expectation of security when using
> HTTPS that they don't with HTTP, but I wonder, how many people just
> think they're safe because of the absence of scary warning signs and
> have no idea what HTTP vs HTTPS actually means?
Right, that is their logic, and as usual it depends on their rather
unique and personal assumptions which they are incapable of discussing.
We know from phishing and from research that people do not have a
reliable knowledge of whether they are in HTTP or HTTPS in the first place.
We also know that prevalence of scary warnings for false negatives is
O(100) times that of true negatives, and from statistics, this means
that users are trained to click-thru scary warnings, and will miss any
true negatives. Hence click-thru syndrome.
We also know K6 that if the system is complicated, they'll choose to
turn it off and go naked.
So the 'expectation' which the developers image they are trying to meet
is really rather hopeful, at best, cognitive dissonance in the middle
and negligence at the sharp end. Yes, us lot here know about it. Yes,
developers know about it.
But the users? Not a lot of hope there, not enough to build a PKI
promise on.
> I think plaintext HTTP should show an lock with a big "no sign" over it
> or something to highlight to users that the connection is insecure.
I think colours are fine. White for HTTP. Light Blue for CA-HTTPS,
Green for EV, and Light Pink for non-CA-HTTPS.
But the point of the above mis-expectations is that it is aligned with
CA notions of selling more certs. A self-signed cert is to them a lost
CA-cert sale, so must be attacked. The fact that most CAs haven't the
first clue about marketing ("a rising tide lifts all boats") is a rabbit
hole we'll refrain from today.
iang
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
