Can you help develop crypto anti-spoofing/phishing tool ?
Daniel Carosone
dan at geek.com.au
Thu Feb 3 00:45:13 EST 2005
On Thu, Feb 03, 2005 at 03:57:06AM +0000, Ian G wrote:
> Daniel Carosone wrote:
>
> >Other merits of the idea aside, if the user knows the CA is untrusted,
> >what's it doing in the browser's trust path?
>
> The user doesn't select the trust path, the browser manufacturer
> does.
> [..]
> How do you suggest the user deals with this list? Given that the
> average list has 100+ entries...
That was a very large part of my point.. :)
[As an aside, pruning the ca trust list is a common hardening
recommendation for those building corporate SOE lockdowns and similar
platforms, where the organisation is making a trust decision for the
user differently than the browser maker is.]
> What Amir and Ahmad are looking at is showing the CA as part of the
> trust equation when the user hits a site. Some CAs will enter the
> user's consciousness via normal branding methods, and new ones will
> trigger care & caution. Which is what we want - if something
> strange pops up, the user should take more care.
I appreciate what they're trying to do, and think it has merits I'm
not in any way trying to diminish.
I just don't see a great history of success with the general user
populace reading and thinking and reacting properly to security
popup warnings of any kind.
The smart, security-conscious and PKI-aware users who can recognise
good CA's from bad will not be falling for phishing scams in the first
place. The user who's already some way down the path of falling for
one is unlikely to make a better choice even when you give them
another popup, though there's a chance it might help at least
somebody, and we should surely take that chance.
If the users could make appopriate CA trust choices, having the
browser manufacturers prepopulate a list of potentially-trusted CAs,
with a popup asking for a trust approval the first time a site
presents a cert in that path, might work. Likewise, something that
remembered cert fingerprints and CA path for "known trusted sites",
vaguely a'la ssh, and popped up an appropriate warning when something
changes, might work for such a smart user. Even so, most of the
popups they see are going to be for legitimate cases of cert renewals
or ICA changes or server load-balancers or .. whatever else.
What's really needed is a way to help them make fewer, better
decisions, rather than more decisions. Wish I knew how..
--
Dan.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20050203/31103b68/attachment.pgp>
More information about the cryptography
mailing list