On Fri, Jan 2, 2009 at 6:17 PM, Nelson B Bolyard <nel...@bolyard.me> wrote: > There are some (few) users who have become aware of the advice that they > must check that the certificate belongs to the intended party, but they > still have no concept of a MITM attack, so they look at the subject name > in the self-signed cert, and see that it bears the name of the company > they expect it to name, and they conclude that they have verified that > the cert is correct and proper, and they get phished. > > Either way, the people who get phished, after thinking that they've taken > due care, conclude that there is no effective security on the internet. > But they should conclude that there is no effective security on the > internet WHEN YOU OVERRIDE the security precautions that were put there > to protect them. We do not help them by further watering down the > security warnings.
This is not a PEBKAC error, this is a PEBK (problem exists behind keyboard) error. The problem is this: we have all sorts of definitions of what technical operations can be done with keys (keyUsage), and the types of technical entities which are 'approved' to use them (web servers, web clients, etc -- eKU)... but there's absolutely nothing about what kind of *social* operations which can be done by any given entity which is authenticated by keys. We do not serve the interests of users by hiding the identity of the CA. We do not serve the interests of users by hiding the level to which a given CA is trusted (WebTrust versus WebTrust EV). We do not serve the interests of users by arbitrarily warning them about things which, if they apply the same level of due diligence that they would for non-Web interactions, would not pose a security threat. We do not serve the interests of users by spreading Fear, Uncertainty, and Doubt. The only thing that we can do is make sure that the user has as much (relevant) information as possible. We can use our own experiences to identify what information is most relevant. We can even ask CPAs and attorneys (hello, Mozilla general counsel) what information is relevant, after providing them the list of information that is compiled. And we can ask users to help figure out how the information should be presented. We can even state Mozilla's opinion of whether a given CA is trustworthy for financial or fiscal data protection (including governmental entities). What we can do -- and all we can do -- is provide relevant information that the user can use to make her own decision. What we can't do is protect the user from the consequences of his own stupidity. Arguably, we shouldn't even try. -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
