Eddy Nigg wrote:
On 11/15/2008 05:18 PM, Ian G:
Eddy Nigg wrote:
On 11/12/2008 05:21 PM, Ian G:
Not sure why, but your posting arrived just only now...
I was offline / travelling. There is this little lightbulb on the
bottom left side of Thunderbird that we can click, and then the emails
On 11/15/2008 05:18 PM, Ian G:
Eddy Nigg wrote:
On 11/12/2008 05:21 PM, Ian G:
Not sure why, but your posting arrived just only now...
What is clear is that the name is not really the essence of the process,
it is just one part. So if we are claiming the full essence of getting
people to cou
Eddy Nigg wrote:
On 11/12/2008 05:21 PM, Ian G:
No it's not. You just need the person, not their identity.
LOL, you are funny...and how exactly do you get the person if you don't
know who it is that you need? This is what the (verified real) identity
details in certificates are here for...
On 11/15/2008 10:04 PM, Paul Hoffman:
At 8:20 PM +0200 11/15/08, Eddy Nigg wrote:
Lets stay focused!
This thread started off with a purported newbie having a problem with seeing
self-signed certs where she shouldn't have. It then morphed into a discussion
of security UI design. Then it went
At 8:20 PM +0200 11/15/08, Eddy Nigg wrote:
>Lets stay focused!
This thread started off with a purported newbie having a problem with seeing
self-signed certs where she shouldn't have. It then morphed into a discussion
of security UI design. Then it went to what users shold and should not be tol
On 11/15/2008 05:57 PM, Wes Kussmaul:
Eddy Nigg wrote:
On 11/15/2008 05:19 PM, Florian Weimer:
* Alaric Dailey:
DNSSEC is an assertion of validitity of the DNS.
EV certs assert that the business behind the cert is legit.
Only that a legal entity exists (whether its "legitimate" is not
checke
Eddy Nigg wrote:
On 11/15/2008 05:19 PM, Florian Weimer:
* Alaric Dailey:
DNSSEC is an assertion of validitity of the DNS.
EV certs assert that the business behind the cert is legit.
Only that a legal entity exists (whether its "legitimate" is not
checked). EV certificates are routinely issu
On 11/15/2008 05:19 PM, Florian Weimer:
* Alaric Dailey:
DNSSEC is an assertion of validitity of the DNS.
EV certs assert that the business behind the cert is legit.
Only that a legal entity exists (whether its "legitimate" is not
checked). EV certificates are routinely issued to organizatio
* Alaric Dailey:
> DNSSEC is an assertion of validitity of the DNS.
> EV certs assert that the business behind the cert is legit.
Only that a legal entity exists (whether its "legitimate" is not
checked). EV certificates are routinely issued to organizations which
do not run the business which e
On 11/12/2008 05:21 PM, Ian G:
No it's not. You just need the person, not their identity.
LOL, you are funny...and how exactly do you get the person if you don't
know who it is that you need? This is what the (verified real) identity
details in certificates are here for...
If you need to
Eddy Nigg wrote:
Nope, just eliminating an assumption or two: identity required for
court. Once these are eliminated, life becomes much easier.
Real identity is required for court,
No it's not. You just need the person, not their identity. The
identity is useful for eliminating mistakes,
On 11/12/2008 08:32 AM, Ian G:
eBay users seems to survive without them?
Because a different body governs them.
Or lets make some comparison to transportation, where one in order to
drive a car must undergo some training and carry a license. I could
imagine something similar applied to the
Eddy Nigg wrote:
On 11/11/2008 03:54 PM, Ian G:
And, in particular, the PKI industry's obsession with some concept that
you refer to as "legal identity" is ruining its own market.
I personally don't perceive it as such nor do I think that there is such
an obsession. I *do* believe that more
On Tue, Nov 11, 2008 at 9:06 AM, Eddy Nigg <[EMAIL PROTECTED]> wrote:
> On 11/11/2008 03:54 PM, Ian G:
>>
>> And, in particular, the PKI industry's obsession with some concept that
>> you refer to as "legal identity" is ruining its own market.
>>
>
> I personally don't perceive it as such nor do I
On 09.11.2008, at 16:25, Ian G wrote:
Eddy Nigg wrote:
Now I'm interested in getting rid of self-signed certificates if
possible. They undermine "legitimate" certificates and put the
majority of users under an unneeded risk. That's one of my goals
today!
It seems that Eddy and Nelson ar
On 11/11/2008 03:54 PM, Ian G:
And, in particular, the PKI industry's obsession with some concept that
you refer to as "legal identity" is ruining its own market.
I personally don't perceive it as such nor do I think that there is such
an obsession. I *do* believe that more verified identiti
> No. There is no consensus. There are opposing camps. One camp
> believes that the solution is to drop all self-signed certs. Another
> camp believes that Key Continuity Management is the answer. Yet a third
> camp believes that user training has to be done, and the UI needs a
> little tweaki
Sorry, rushed reply!
Eddy Nigg wrote:
On 11/11/2008 04:58 AM, Ian G:
Yes, you are confirming and reinforcing his point: the dominant paridigm
-- to push a concept of a binding of legal name to key -- is making it
difficult for advocates of crypto to gain traction.
It serves a purpose, it's n
On 11/11/2008 04:58 AM, Ian G:
Yes, you are confirming and reinforcing his point: the dominant paridigm
-- to push a concept of a binding of legal name to key -- is making it
difficult for advocates of crypto to gain traction.
It serves a purpose, it's not the only form in current applied PKI
Eddy Nigg wrote:
On 11/10/2008 04:31 PM, Ian G:
Eddy Nigg wrote:
[EMAIL PROTECTED] is hardly a legal identity...
That's because there is no such thing as a "legal identity."
I think he meant with "legal" your legally given name as listed in your
passport for example or an organization as
At 11:52 AM -0800 11/10/08, Nelson Bolyard wrote:
>DNSSEC only attempts to ensure that you get the (a) correct IP address.
s/only/only currently/
You can stick any data you want in the DNS. Currently the most popular data is
the A record (IP address) associated with a domain name, but is it quit
list
Subject: DNSSEC? Re: MITM in the wild
I haven't followed this lengthy discussion in detail but I have for a long
time wondered how DNSSEC
and SSL-CA-Certs should coexist.
Which one will be the "most" authoritative?
Could DNSSEC (if it finally succeeds) be the end of S
Nelson Bolyard wrote:
I haven't followed this lengthy discussion in detail but I have for a long
time wondered how DNSSEC and SSL-CA-Certs should coexist.
Which one will be the "most" authoritative?
Could DNSSEC (if it finally succeeds) be the end of SSL-CA-certs?
DNSSEC only attempts to ens
On 11/10/2008 04:31 PM, Ian G:
Eddy Nigg wrote:
[EMAIL PROTECTED] is hardly a legal identity...
That's because there is no such thing as a "legal identity."
I think he meant with "legal" your legally given name as listed in your
passport for example or an organization as registered and au
On 11/10/2008 09:52 PM, Nelson Bolyard:
Anders Rundgren wrote:
I haven't followed this lengthy discussion in detail but I have for a long
time wondered how DNSSEC and SSL-CA-Certs should coexist.
Which one will be the "most" authoritative?
Could DNSSEC (if it finally succeeds) be the end of SS
Anders Rundgren wrote:
> I haven't followed this lengthy discussion in detail but I have for a long
> time wondered how DNSSEC and SSL-CA-Certs should coexist.
>
> Which one will be the "most" authoritative?
>
> Could DNSSEC (if it finally succeeds) be the end of SSL-CA-certs?
DNSSEC only attemp
Eddy Nigg wrote:
On 11/10/2008 02:11 AM, Kyle Hamilton:
On Sun, Nov 9, 2008 at 7:26 AM, Eddy Nigg<[EMAIL PROTECTED]> wrote:
Since there's a fairly argumentative tone going on, I think I should
explain what my viewpoint is:
Kyle, your reply was highly interesting! Nevertheless I'll cut down my
I haven't followed this lengthy discussion in detail but I have for a long time
wondered how DNSSEC
and SSL-CA-Certs should coexist.
Which one will be the "most" authoritative?
Could DNSSEC (if it finally succeeds) be the end of SSL-CA-certs?
Anders
__
On 11/10/2008 02:11 AM, Kyle Hamilton:
On Sun, Nov 9, 2008 at 7:26 AM, Eddy Nigg<[EMAIL PROTECTED]> wrote:
Since there's a fairly argumentative tone going on, I think I should
explain what my viewpoint is:
Kyle, your reply was highly interesting! Nevertheless I'll cut down my
response to a fe
>Well, all the arguments have been heard on this already, and positions are
>fairly entrenched. It seems futile to have the debate over and over, and I
>for one would like to point out that it is uncomfortable to treat it like a
>political campaign.
>
>Perhaps a vote?
Not for me, but perhaps a
On Sun, Nov 9, 2008 at 7:26 AM, Eddy Nigg <[EMAIL PROTECTED]> wrote:
> On 11/09/2008 04:25 PM, Ian G:
>>
>> Well, all the arguments have been heard on this already, and positions
>> are fairly entrenched. It seems futile to have the debate over and over,
>> and I for one would like to point out tha
On 11/09/2008 04:25 PM, Ian G:
Well, all the arguments have been heard on this already, and positions
are fairly entrenched. It seems futile to have the debate over and over,
and I for one would like to point out that it is uncomfortable to treat
it like a political campaign.
Well, Kyle stated
Eddy Nigg wrote:
Now I'm interested in getting rid of self-signed certificates if
possible. They undermine "legitimate" certificates and put the majority
of users under an unneeded risk. That's one of my goals today!
Well, all the arguments have been heard on this already, and positions
are
Kyle Hamilton wrote:
Because you're assuming that everything that occurs in this world
exists in a corporate environment, Eddy. That is the environment
where CAs flourish, where CAs thrive, where CAs can do what they're
best at -- *because all authority and trust trickles down from the
corporati
On 11/09/2008 08:38 AM, Kyle Hamilton:
Because you're assuming that everything that occurs in this world
exists in a corporate environment, Eddy.
Well, I didn't meant only the corporate, but also any hobbyist geek.
Those are, which lament against PKI in general and promote self-signed
certs.
Because you're assuming that everything that occurs in this world
exists in a corporate environment, Eddy. That is the environment
where CAs flourish, where CAs thrive, where CAs can do what they're
best at -- *because all authority and trust trickles down from the
corporation, a tool used to help
On 11/08/2008 10:50 PM, Kyle Hamilton:
I would have no problem with changing the chrome when people step
outside of the assurances that Firefox tries to provide. I /do/ have
a problem with removing the ability for users to try to self-organize
their own networks. (The threat model is different,
Kyle Hamilton wrote:
The basic idea for querying this would be as follows: hash the Subject
and each/all SANs in the certificate, and query for that hash (perhaps
to a web service). If there's a match,
Would I as an attacker use a perfect Subject / SAN that would leave
itself easily matcha
There are two ways to target MITM attacks.
First is the attack against the user, sending everything destined for
TLS (either via HTTP proxy or via port-fowarding techniques) from the
user's machine to the attacker.
Second is the attack against the server, sending network traffic
destined for the s
On 11/07/2008 11:21 PM, Nelson B Bolyard:
I will add that, while MITMs have historically been very rare, they are
on the upswing. I see two broad areas where MITM attacks are on the
increase, and they're both directed at the user, not the server.
One must recognize the fact that MITM attacks w
Iang wrote, On 2008-11-07 08:22:
> Bernie Sumption wrote:
>> How about an MITM detection service that gives no false positives, but
>> might give false negatives? If you positively identify an MITM attack,
>> you can present users with a much more definite UI saying "this *is*
>> an MITM attack" a
Bernie Sumption wrote:
If we create an error display that says "No kidding, this absolutely
is an attack and we're stopping you cold to protect you from it."
it seems unavoidable that users will learn to treat the absence
of such an unbypassable error display as proof to the contrary,
proof that
Bernie Sumption wrote:
If we create an error display that says "No kidding, this absolutely
is an attack and we're stopping you cold to protect you from it."
it seems unavoidable that users will learn to treat the absence
of such an unbypassable error display as proof to the contrary,
proof that
Bernie Sumption wrote:
Graham, Nelson, Eddy, you all make good points.
I'll take your word for it that it's impossible to detect MITM attacks
with 100% reliability, as I said I'm not a security expert.
How about an MITM detection service that gives no false positives, but
might give false negat
Eddy Nigg wrote:
On 11/07/2008 05:18 AM, Kyle Hamilton:
So, essentially, what you're saying is that it was a targeted attack
against a user, instead of an attack targeted against a server?
What is an attack targeted against a server in the context of browsers
and MITMs?
Possibly, it is mu
> If we create an error display that says "No kidding, this absolutely
> is an attack and we're stopping you cold to protect you from it."
> it seems unavoidable that users will learn to treat the absence
> of such an unbypassable error display as proof to the contrary,
> proof that the site is gen
On 11/07/2008 05:18 AM, Kyle Hamilton:
So, essentially, what you're saying is that it was a targeted attack
against a user, instead of an attack targeted against a server?
What is an attack targeted against a server in the context of browsers
and MITMs?
--
Regards
Signer: Eddy Nigg, Start
Kyle,
Kyle Hamilton wrote:
So, essentially, what you're saying is that it was a targeted attack
against a user, instead of an attack targeted against a server?
Apparently, keeping track of keys in certificates placed individually
into NSS might be a good idea regardless.
The attacker absolute
So, essentially, what you're saying is that it was a targeted attack
against a user, instead of an attack targeted against a server?
Apparently, keeping track of keys in certificates placed individually
into NSS might be a good idea regardless.
-Kyle H
On Thu, Nov 6, 2008 at 5:09 PM, Nelson B Bo
Ian G wrote, On 2008-11-06 15:06:
> Nelson B Bolyard wrote:
>> Ian G wrote, On 2008-11-06 12:48:
>>> Nelson B Bolyard wrote:
What curious things do you notice about these certs?
>>> Only one key?
>> Yup. That's the biggie. It allows the MITM to get by with just a
>> single private key.
>
Ian G wrote:
Nelson B Bolyard wrote:
Ian G wrote, On 2008-11-06 12:48:
Nelson B Bolyard wrote:
What curious things do you notice about these certs?
Only one key?
Yup. That's the biggie. It allows the MITM to get by with just a
single private key.
OK. We can of course all imagine ways
Nelson B Bolyard wrote:
Ian G wrote, On 2008-11-06 12:48:
Nelson B Bolyard wrote:
What curious things do you notice about these certs?
Only one key?
Yup. That's the biggie. It allows the MITM to get by with just a
single private key.
OK. We can of course all imagine ways to exploit th
Ian G wrote, On 2008-11-06 12:48:
> Nelson B Bolyard wrote:
>> What curious things do you notice about these certs?
>
> Only one key?
Yup. That's the biggie. It allows the MITM to get by with just a
single private key.
> All have same Issuer + Subject?
Yeah, all self signed. All DNs consis
Kyle,
Kyle Hamilton wrote:
Should there be a check to make sure that disparate sites aren't using
the same public key modulus/exponent?
That would be fairly hard to implement reliably.
Currently, we don't persist end-entity certs of web sites in general in PSM.
Even if we did, what is the l
...and they're all using MD5?
-Kyle H
On Thu, Nov 6, 2008 at 12:48 PM, Ian G <[EMAIL PROTECTED]> wrote:
> Nelson B Bolyard wrote:
>>
>> What curious things do you notice about these certs?
>
>
> Only one key? All have same Issuer + Subject?
>
> iang
>
Aside from the fact that they all claim to be issued by themselves,
but the key modulus is the same across all of them?
Perhaps the fact that they're all version 3 certificates that don't
show any version 3 extensions, such as "keyUsage" and
"extendedKeyUsage"?
Should there be a check to make sur
Nelson B Bolyard wrote:
What curious things do you notice about these certs?
Only one key? All have same Issuer + Subject?
iang
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
What curious things do you notice about these certs?
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1224169969 (0x48f759f1)
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Issuer: "CN=unaportal.una.edu,O=University of North Alabama"
Validity:
Bernie Sumption wrote, On 2008-11-06 03:57:
> Graham, Nelson, Eddy, you all make good points.
>
> I'll take your word for it that it's impossible to detect MITM attacks
> with 100% reliability, as I said I'm not a security expert.
>
> How about an MITM detection service that gives no false positi
Graham, Nelson, Eddy, you all make good points.
I'll take your word for it that it's impossible to detect MITM attacks
with 100% reliability, as I said I'm not a security expert.
How about an MITM detection service that gives no false positives, but
might give false negatives? If you positively i
On 11/04/2008 02:04 PM, Bernie Sumption:
The problem as I see it is that the same warning UI is shown whenever
there is a less than perfect certificate. Let us assume
The concept of SSL certificates isn't based on assumptions! Neither does
the cryptographic library assume things, but makes de
Bernie Sumption wrote, On 2008-11-04 04:04:
>> Is removal of the ability to override bad certs the ONLY effective
>> protection for such users?
>
> No. If we can detect MITM attacks, the problem goes away.
It does?
Absence of an incomplete MITM attack does not prove the identity of the
server.
Bernie Sumption wrote:
The problem as I see it is that the same warning UI is shown whenever
there is a less than perfect certificate. Let us assume that 99.99% of
the time, this either a misconfigured web server or a homebrew site
that is using self-signed certs because they only care about
enc
> Is removal of the ability to override bad certs the ONLY effective
> protection for such users?
No. If we can detect MITM attacks, the problem goes away. There are
ways of detecting MITM attacks, but first of all, this is why we need
to do it:
The problem as I see it is that the same warning UI
Ian G:
Nelson B Bolyard wrote:
It is widely agreed that, since KCM has no central revocation facility,
KCM is not central, period. Talking about revocation is a strawman.
I think that's the point he is making.
What's your point? Sounds to me like most of the last 1000 security
bugs. P
Ian G wrote, On 2008-10-20 22:41:
> Nelson B Bolyard wrote:
>> It is widely agreed that, since KCM has no central revocation facility,
>
> KCM is not central, period. Talking about revocation is a strawman.
I should have said "central revocation SERVICE". Sadly, it DOES have a
central revocati
Nelson B Bolyard wrote:
> Ian G wrote, On 2008-10-20 19:24:
>
>> There are possibilities. One is the server-side self-signed certs,
>> which would generally prefer KCM to be useful, so add Petnames.
>> This is ok for small sites, small communities, but valuable there as
>> compromised boxes are a
Ian G wrote, On 2008-10-20 19:24:
> There are possibilities. One is the server-side self-signed certs,
> which would generally prefer KCM to be useful, so add Petnames.
> This is ok for small sites, small communities, but valuable there as
> compromised boxes are a pain.
The Debian OpenSSL fiasc
https is a perfectly valid protocol, and I don't think that it should
be changed (or any aspect of it should be changed or supplanted). The
ONLY problem that exists is the chrome.
On Mon, Oct 20, 2008 at 6:23 PM, Nelson B Bolyard <[EMAIL PROTECTED]> wrote:
>
>> b) some unmistakeable blatantly obv
Nelson B Bolyard wrote:
> OK, I was too flippant, but I'm serious about wanting an alternative
> to https, something that means security not good enough for financial
> transactions, but OK for your private home router/server.
>
> Nelson B Bolyard wrote, On 2008-10-20 15:07:
>> Ian G wrote, On 200
Nelson B Bolyard:
OK, I was too flippant, but I'm serious about wanting an alternative
to https, something that means security not good enough for financial
transactions, but OK for your private home router/server.
One way doing it is going to http://www.ietf.org/ and proposing it.
Another wa
OK, I was too flippant, but I'm serious about wanting an alternative
to https, something that means security not good enough for financial
transactions, but OK for your private home router/server.
Nelson B Bolyard wrote, On 2008-10-20 15:07:
> Ian G wrote, On 2008-10-20 13:28:
>> (e.g., we do agr
Nelson B Bolyard wrote:
b) some unmistakeable blatantly obvious way to show the user that this
site is not using security that's good enough for banking but, well,
is pretty good security theater. Flashing pink chrome?
Empty wallet icon? The whistling sounds associated with falling things?
http
Nelson B Bolyard:
httpst:// (security theater) maybe? or
httpwf:// (warm fuzzy) or
mitm://
LOLI can't hold myself on the chair anymore...I'm laughing myself
kaput! Because of you I had to change my shirt and clean the keyboard
from coffee stainsCan you warn me next time upfront not
Ian G wrote, On 2008-10-20 13:28:
> Yes. E.g., did you know that the point of a good lock on a door is
> *not* to stop a burglar getting in, but to stop him getting out?
> That's why it is called a deadbolt. The burglar can always get in,
> the game is to stop him getting out the front door, car
At 11:49 AM -0700 10/20/08, Nelson B Bolyard wrote:
>Jean-Marc Desperrier wrote, On 2008-10-20 01:50:
>
>> As has *already* been reported on this group, *many*, *many*, *many*
>> users did not fill a bug report until now and switched browser instead.
>
>OK. So, many users who have been MITM attack
Kyle Hamilton wrote:
> On Mon, Oct 20, 2008 at 4:49 AM, Eddy Nigg <[EMAIL PROTECTED]> wrote:
>> Jean-Marc Desperrier:
>>> Graham Leggett wrote:
This is the classic balance between convenience and security.
>>> inconvenience != security.
>>>
>>> inconvenience == unsecurity.
>>>
>> Every time I
Nelson B Bolyard wrote:
> Jean-Marc Desperrier wrote, On 2008-10-20 05:33:
>> Jean-Marc Desperrier wrote:
>
>> I realized that there's a specific reason why I don't lock my door after
>> entering. [...] The door of my appartement doesnt' have an ouside handle.
>> You can't enter without using the
My good and knowledgeable friend Eddy Nigg will have a fit about my
putting into this list a link to something that is just an illustration.
Eddy, forgive me, but the folks on this list should be allowed to see a
new approach to a solution that is worth noting here.
See the bottom paragraph o
On Mon, Oct 20, 2008 at 4:49 AM, Eddy Nigg <[EMAIL PROTECTED]> wrote:
> Jean-Marc Desperrier:
>>
>> Graham Leggett wrote:
>>>
>>> This is the classic balance between convenience and security.
>>
>> inconvenience != security.
>>
>> inconvenience == unsecurity.
>>
>
> Every time I come from shopping
Jean-Marc Desperrier wrote, On 2008-10-20 01:50:
> As has *already* been reported on this group, *many*, *many*, *many*
> users did not fill a bug report until now and switched browser instead.
OK. So, many users who have been MITM attacked chose to defeat their
protections, and switch to a pro
Jean-Marc Desperrier wrote, On 2008-10-20 05:33:
> Jean-Marc Desperrier wrote:
> I realized that there's a specific reason why I don't lock my door after
> entering. [...] The door of my appartement doesnt' have an ouside handle.
> You can't enter without using the key.
In other words, you don't
Everybody take a deep breath. If we start treating this as black-and-white
extremes, it is unlikely that most users will get the best security and
usability.
Few if any of us active in this thread are HCI experts. Few of us have anything
more than small amounts of anecdotal evidence. Many of us
Jean-Marc Desperrier wrote, On 2008-10-20 01:50:
> Eddy Nigg wrote:
>> Ian G:
>>> Nelson B Bolyard wrote:
Despite all the additional obstacles that FF3 put in her way, and all
the warnings about "legitimate sites will never ask you to do this",
she persisted in overriding every error
Eddy Nigg wrote:
[...]. But if we believe that we should get to the point to prevent users
from clicking through errors (because of the risk involved) than we are
very close already. Implementation proposals may vary, but I think that
with providing better security for the AVERAGE user, overall u
Nelson B Bolyard wrote:
> Ian G wrote, On 2008-10-19 15:17:
>> Nelson B Bolyard wrote:
>
>>> KCM would have accepted those certs without any complaint.
>> Ahhh, not exactly! With KCM, it is not up to it to accept any certs
>> any time: unfamiliar certs are passed up to the user for validation.
Eddy Nigg wrote:
[...]
Despite that, http://www.xitimonitor.com/ has testimony to a growing
market share of Firefox in Europe, including Germany. Go figure...
I *never* claimed that this problem would lower the *general* use of
Firefox. The SSL use case is small enough that it has *no* weight
Jean-Marc Desperrier:
The pratical result of inconvenience is a threshold level that depends
of two factor : the inconvenience and the perceived threat.
I agree with every word you said in this mail! Risk assessment is
important! I believe that we just don't agree (yet) where to draw the
line
Jean-Marc Desperrier wrote:
Eddy Nigg wrote:
[...]
Every time I come from shopping it's very inconvenient to put down the
shopping bags, grab for my keys and open the front door of my house.
Then pick up my bags again. After entering I have to lock the door again
(by convenience, if I want). But
Jean-Marc Desperrier:
The second number hardly actually proves anything. In what I describe,
users will continue to use Firefox most of the time, and switch to IE
only for broken SSL sites.
Believe me, I have counts of web site owners "fixing" their web sites
because of the mounting complain
Eddy Nigg wrote:
[...]
Every time I come from shopping it's very inconvenient to put down the
shopping bags, grab for my keys and open the front door of my house.
Then pick up my bags again. After entering I have to lock the door again
(by convenience, if I want). But overall, what an inconvenien
Ian G:
Curious! Eddy, how did you learn how to go to all that inconvenience?
LOL
Because I'm a security expert I guess :-)
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog: https://blog.startcom.org
___
dev-tech-cryp
Jean-Marc Desperrier:
Broken ? Yes, instead of accessing to the web site, he got some error
screen, and had to run IE instead.
Oh yes, and IE let him just through, no errors and no red address bar
and no "We recommend not to visit this site", right?
This was a developer with already around t
Eddy Nigg wrote:
[...]
MY sources show clearly that both web sites using legitimate
certificates and "market share" of Firefox has gone up. This is correct
in real number and relative percentage wise.
The second number hardly actually proves anything. In what I describe,
users will continue to
Eddy Nigg wrote:
> Jean-Marc Desperrier:
>> Graham Leggett wrote:
>>>
>>> This is the classic balance between convenience and security.
>>
>> inconvenience != security.
>>
>> inconvenience == unsecurity.
>>
>
> Every time I come from shopping it's very inconvenient to put down the
> shopping bags,
Jean-Marc Desperrier:
Graham Leggett wrote:
This is the classic balance between convenience and security.
inconvenience != security.
inconvenience == unsecurity.
Every time I come from shopping it's very inconvenient to put down the
shopping bags, grab for my keys and open the front door
Jean-Marc Desperrier:
Eddy Nigg wrote:
[...]
When the visitor statistics suddenly goes down, web site owners will
take action.[...]
It will not go down. It's only the percentage of user using Firefox that
will go down.
Can you please backup your assumptions?
MY sources show clearly that
Nelson B Bolyard wrote:
[...]
This incident has shown that FF3, with its all-too-easy-to-defeat MITM
reporting, is NOT suitable for high-value web transactions such as
online banking.
You know Nelson the reason why you are taking this the wrong way is that
you have *no* direct experience of ho
Graham Leggett wrote:
David E. Ross wrote:
[...]
I have also visited sites with incorrectly configured site certificates.
[...]. I definitely do not want to be locked out of these sites either.
This is the classic balance between convenience and security.
inconvenience != security.
inconven
Eddy Nigg wrote:
[...]
When the visitor statistics suddenly goes down, web site owners will
take action.[...]
It will not go down. It's only the percentage of user using Firefox that
will go down.
Please note that we've seen *one* knowledgeable enough webmaster report
here that the number o
1 - 100 of 121 matches
Mail list logo
