An attack on paypal

Ian Grigg iang at systemics.com
Wed Jun 18 20:15:34 EDT 2003 

Matthew Byng-Maddick wrote:
> 
> On Fri, Jun 13, 2003 at 04:32:12PM -0700, Bill Stewart wrote:
> > An e-gold-specific or paypal-specific client can tell,
> > because it can remember that it's trying to see the real thing,
> > but the browser can't tell, except by bugging you about
> > "Hi, this is a new site that's giving us a new cert" placebo box.
> 
> Don't knock this warning, it might be enough of an indication to the user
> that something is not quite right. "But I've logged into e-gold before,
> and it never said this...". It certainly should be. In most browsers,
> though, there isn't even that, by default, at least, IMLE.

It's certainly enough - IMHO - to take the wind out
of the sails of the current rash of pirates.  If
the "placebo box" were to present the number of times
connected, and showed this in a graphical fashion,
I think it would be something ordinary users would
understand.


E.g.,  bright and bold and pulsing for 1st time,
with a big frowny face and the number 1.  Warm and
fuzzy for 10th time, with a big 10 and a smiley
face.  It might even put the fun back into browser
programming :-)  


Certificate caching is a far more powerful idea
than, say, CA-signed certs.  If it were added
to browsers, and servers initialised with self-
signed certs, then the security of the net would
go up immensely.  Integrated with some of the
ideas that people have suggested concerning WoT,
publically distributed certs, and individualised
displays (amounting to local secrets keyed on the
cert), we could actually start to see people using
secured browsing when they wanted to rather than
when they were forced to.

It might even raise the stock of the profession
above the current "maybe it's all snake oil" rating
that some skeptics have applied :-)


(Oddly enough, the market for CA-signed certs
would also increase, and the factory signers
would make a killing, but that's a rant for
another day.)

-- 
iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list