Mozilla tool to self-verify HTTPS site

[Ian Grigg]

Victor.Duchovni at morganstanley.com wrote:

> How many users can remember MD5 checksums??? If they were rendered into
> something pronounceable via S/Key like dictionaries it might be more
> useful...

Apologies, last night's answer was too brief to
be useful!  Here's the more detailed and coffee
charged explanation:

Printing out a fingerprint allows a PGP-ite to
feel comfortable, but we all know there are
precious few of those on the planet.  So the
expected benefit to security is fairly low.

We don't get much bang for our buck here, so
we're agreed on that point.

In reality, the importance of the tool is that
it signifies - to me at least - that the browser
maufacturers (which I conveniently enlarge to
include plug-in makers :) are beginning to address
the security failures in secure browsing.  In
small steps, but they are now facing towards the
threat, at least.  Maybe.  I hope.

Also, SSLbar isolates and addresses what I percieve
to be a questionable design feature in SSL:  the
certificate and its delivery as an integral and
assumed part of SSL.

Here, this tool specifically challenges that
feature and allows for out-of-band checking of
the certificate.  It ignores or supplements the
debatable assumption that browsers make:  a
certificate is good if and only if it is signed
by a known CA.

That's a good thing, IMHO.  Tying the certificate
into the core crypto protocol seems to be a poor
design choice;  outsourcing any certification to
a higher layer seems to work much better out in
the field.

(E.g., PGP, SSH, SOX, Eric B's cryptophone.)

-- 
iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com