Can you help develop crypto anti-spoofing/phishing tool ?
Amir Herzberg
herzbea at macs.biu.ac.il
Thu Feb 3 09:18:53 EST 2005
Daniel Carosone responded to me:
>>We develop TrustBar, a simple extension to FireFox (& Mozilla), that
>>displays the name and logo of SSL protected sites, as well as of the CA
>>(so users can notice the use of untrusted CA).
>
> Other merits of the idea aside, if the user knows the CA is untrusted,
> what's it doing in the browser's trust path?
Unfortunately, users are not aware of what is a CA, and can't recognize
trusted CAs. This fact is pretty obvious, but I've also validated it by
appropriate user surveys (initial results already appear in the paper,
see at my site http://AmirHerzberg.com; and I already have additional
supporting results).
However, by exposing the brand (identity, logo) of the CA, and using
simple terms (`identified by`) rather than jargon (CA), we allow users
to identify suspect certifications, and we allow CAs to establish their
brand - which, imho, is a good thing.
I find it almost a professional insult, that people go for non-crypto
identification mechanisms to prevent spoofing and phishing. I mean, if
we can't sell crypto for this purpose, this - imho - is a real failure.
Best, Amir Herzberg
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list