browser vendors and CAs agreeing on high-assurance certificates
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Dec 21 07:10:49 EST 2005
"James A. Donald" <jamesd at echeque.com> writes:
>If no attacks, this is just an excuse for higher priced holy water, an
>attempt to alter the Browser interface to increase revenue, not increase
>security - to solve the CA's problem, not solve the user's problem.
That's a somewhat cynical view :-) of what I'd seen it as, a case of looking for
the dropped contact lens where the light is. The CAs and auditors are in the
business of auditing and checking, so they try and address the phishing problem
by adding more auditing and checking to the cert issue process because that's
the only thing they can do. To grab a few chunks from an article on security
usability that'll be published Real Soon Now (note that this is a summary of
much preceding text containing examples of each of the cases mentioned below):
The security model used with SSL server certificates might be called honesty-
box security: In some countries newspapers are sold on the street by having a
box full of newspapers next to a coin box (the honesty box) into which people
are trusted to put the correct coins before taking out a paper. Of course they
can also put in a coin and take out all the papers, or put in a washer and
take out a paper, but most people are honest and so most of the time it works.
SSL.s certificate usage is similar. If you use a $495 certificate, people will
come to your site. If you use a $9.95 certificate, people will come to your
site. If you use a $0 self-signed certificate, people will come to your site.
If you use an expired or invalid certificate, people will come to your site.
If you.re a US financial institution and use no certificate at all but put up
a message reassuring users that everything is OK, people will come to your
site. In medical terms, the effects of this .security. are indistinguishable
from placebo.
In fact the real situation is even worse than this. Although there has been
plenty of anecdotal evidence of the ineffectiveness of SSL certificates over
the years, it wasn.t until mid-2005 (ten years after their introduction) that
a rigorous study of their actual effectiveness was performed. This study,
carried out with computer-literate senioryear computer science students (who
one would expect would be more aware of the issues than the typical user)
confirmed the anecdotal evidence that invalid SSL certificates had no effect
whatsoever on users visiting a site.
[...]
A contributing factor in the SSL certificate problem is the fact that security
warnings presented to the user often come with no supporting context. Since
web browsers implicitly and invisibly trust a large number of CAs, and by
extension a vast number of certificates, users have no idea what a certificate
is when an error message mentioning one appears. One user survey found that
many users assumed that it represented some form of notice on the wall of the
establishment, like a health inspection notice in a restaurant or a Better
Business Bureau certificate, a piece of paper that indicates nothing more than
that the owner has paid for it (which is indeed the case for most SSL
certificates). Users were therefore dismissive of .trusted. certificates, and
as an extension cared equally little about .untrusted. ones.
This user conditioning presents a somewhat difficult problem. Psychologists
have performed numerous studies over the years that examine people.s behaviour
once they.ve become habituated into a particular type of behaviour and found
that, once acquired, an (incorrect) whirr, click response is extremely
difficult to change, with users resisting attempts to change their behaviour
even in the face of overwhelming evidence that what they.re doing is wrong.
So, as you say, high-assurance certs are solving a CA and regulation-settor
problem, not a phishing problem.
It'll be interesting to see how things look in a years' time.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list