Can you help develop crypto anti-spoofing/phishing tool ?
Ian G
iang at systemics.com
Wed Feb 2 22:57:06 EST 2005
Daniel Carosone wrote:
>On Wed, Feb 02, 2005 at 10:11:54PM +0200, Amir Herzberg wrote:
>
>
>>We develop TrustBar, a simple extension to FireFox (& Mozilla), that
>>displays the name and logo of SSL protected sites, as well as of the CA
>>(so users can notice the use of untrusted CA).
>>
>>
>
>Other merits of the idea aside, if the user knows the CA is untrusted,
>what's it doing in the browser's trust path?
>
>
The user doesn't select the trust path, the
browser manufacturer does. It is a bug to
think that the user trusts the CA. She
doesn't even know their names, let alone
whether she would trust them, in the current
system.
>If we're going to assume users are capable of making this decision, we
>should make it easier for them to express that decision properly
>within the existing mechanism.
>
>
The existing method is that the root list is
chosen by methods arcane and obscure,
which may have to do with user benefit,
or may not. Either way, the user is given
a root list that is long and chosen and hidden.
How do you suggest the user deals with
this list? Given that the average list has
100+ entries...
What Amir and Ahmad are looking at is
showing the CA as part of the trust equation
when the user hits a site. Some CAs will
enter the user's consciousness via normal
branding methods, and new ones will
trigger care & caution. Which is what
we want - if something strange pops up,
the user should take more care.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list