Crypto and UI issues
Ben Laurie
ben at algroup.co.uk
Sun Dec 18 22:44:07 EST 2005
James A. Donald wrote:
> --
> "James A. Donald"
>>> Let us imagine that SSH had certified keys. Well,
>>> certifying a key is bound to be complicated, and
>>> things are bound to go wrong, and the name that you
>>> bind it to is bound to be somewhat shifty.
>
> Ben Laurie
>> I don't see why that would happen all that much,
>
> It would happen at least as much as it happens with
> https, and it happens enough with https that false
> negatives enormously outweigh true negatives.
True, but I don't see false negatives very often with https at all. And
I visit far more web sites than I log into machines with ssh. So, I'm
not really buying this.
> "James A. Donald"
>>> So pretty soon users are frequently seeing error
>>> dialogs - and so, pretty soon, are always clicking
>>> through them.
>
> Ben Laurie
>> Don't really buy this for what is, mostly, a protocol
>> used by experts.
>
> An expert will reflexively click through a dialog that
> is almost certainly a false negative.
That's just not true.
>> True names of hosts is not a deep problem. Indeed, it
>> is even possible to discover rigorously
>
> but is the host with the true name the entity you have a
> relationship with?
>
> My two most recent logins were with "First National Bank
> of Omaha" and "Your IBM Savings plan"
>
> Is "firstnational.com" the same entity as "First
> National Bank of Omaha"? Is
> "https://lb22.resources.hewitt.com" the same entity as
> "Your IBM Savings plan"
You have logins at banks and IBM?
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
** ApacheCon - Dec 10-14th - San Diego - http://apachecon.com/ **
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list