2010/5/21 Robert Relyea <rrel...@redhat.com>: > On 05/21/2010 07:52 AM, Gervase Markham wrote: >> On 21/05/10 05:36, Matt McCutchen wrote: >>> I'm not claiming that the user knows. I only said that if there is in >>> fact no impersonation, then the error is a false positive. >> >> This seems a fine definition to me. >> >> If the browser says "OMG - someone might be trying to MITM you", and >> no-one is, that's a false positive. > > Except the warning is that the server is incorrectly identified. Which > is always true in this case. It isn't safe to continue until the error > is fixed. > > bob
...and is there any means, at all, for an end-user to tell the admins of the server that the server has a configuration error and must be fixed? I submit that there is not. (Even Nelson ran into trouble with notifying a CA about a mis-issued certificate -- and that was a notification *to the company which made an attestation of identity*, which had an interest in knowing about it and fixing it.) The user cannot generally get on the phone and tell an organization that their server is misconfigured and is causing them to see MITM-like errors, because none of the companies that I have ever seen have had an internal help-desk extension which external users could be directed to. The browser cannot automatically submit that it sees an error in the configuration. Such a mechanism would (quite rightly) have privacy activists up in arms, as it would leak information about the user's configuration in the process. (Firefox currently submits URLs to Google, if the user accepts the "web forgery notification" service -- I wonder if submitting the URL that the client tried to get to, as well as the security result from NSS, would be able to lead to administrators being notified of a statistically-significant number of errors. It might also be a helpful tool to determine where a particular MITM attack is occurring.) I think that this is no longer a "technical code" discussion, and thus now properly belongs on dev-security-policy. -Kyle H -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
