Crypto and UI issues
James A. Donald
jamesd at echeque.com
Sun Dec 18 00:12:11 EST 2005
--
"James A. Donald"
> > Let us imagine that SSH had certified keys. Well,
> > certifying a key is bound to be complicated, and
> > things are bound to go wrong, and the name that you
> > bind it to is bound to be somewhat shifty.
Ben Laurie
> I don't see why that would happen all that much,
It would happen at least as much as it happens with
https, and it happens enough with https that false
negatives enormously outweigh true negatives.
"James A. Donald"
> > So pretty soon users are frequently seeing error
> > dialogs - and so, pretty soon, are always clicking
> > through them.
Ben Laurie
> Don't really buy this for what is, mostly, a protocol
> used by experts.
An expert will reflexively click through a dialog that
is almost certainly a false negative.
> True names of hosts is not a deep problem. Indeed, it
> is even possible to discover rigorously
but is the host with the true name the entity you have a
relationship with?
My two most recent logins were with "First National Bank
of Omaha" and "Your IBM Savings plan"
Is "firstnational.com" the same entity as "First
National Bank of Omaha"? Is
"https://lb22.resources.hewitt.com" the same entity as
"Your IBM Savings plan"
Knowing that I was really and truly connecting to
lb22.resources.hewitt.com was not in fact much use at
all.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
ez1z37eet0cWwVrNwfCbMCbdIdZ54HnhIA7QnrSN
42IqI9qTDHV9RRUioTTrs3I0W7eyY9zOvBjKSSInB
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list