Can you help develop crypto anti-spoofing/phishing tool ?

Michael H. Warfield mhw at wittsend.com
Thu Feb 3 09:30:07 EST 2005 

On Thu, 2005-02-03 at 03:57 +0000, Ian G wrote:
> Daniel Carosone wrote:

> >On Wed, Feb 02, 2005 at 10:11:54PM +0200, Amir Herzberg wrote:

> >>We develop TrustBar, a simple extension to FireFox (& Mozilla), that 
> >>displays the name and logo of SSL protected sites, as well as of the CA 
> >>(so users can notice the use of untrusted CA). 

> >Other merits of the idea aside, if the user knows the CA is untrusted,
> >what's it doing in the browser's trust path?
  
> The user doesn't select the trust path, the
> browser manufacturer does.  It is a bug to
> think that the user trusts the CA.  She
> doesn't even know their names, let alone
> whether she would trust them, in the current
> system.

	Worse, we've even got malware/spyware that's silently installing new
root CA's when they install.  And on Windows, it's not in the browser
(unless it's Mozilla/Firefox, I think) it's in the OS itself that's
maintaining the root CA list.

	But, I also agree that I doubt many users will know or pay attention to
the CA.  Trust them?  Most don't even know, or care, what a CA is.  They
already punch through the dialogs, now, when faced with certificate
warnings.  Even people, who should know better, just click that little
check box saying "don't show this warning again" for a site they know
nothing about and just ignore the fact that the cert is virtually
worthless.  Showing the CA is not going to help that.

> >If we're going to assume users are capable of making this decision, we
> >should make it easier for them to express that decision properly
> >within the existing mechanism.

	Big BIG if.  I can't make that assumption at all.  I've seen reality
and reality is that they're just going to instinctively hit "OK" and be
annoyed that they had to even see that dialog.

> The existing method is that the root list is
> chosen by methods arcane and obscure,
> which may have to do with user benefit,
> or may not.  Either way, the user is given
> a root list that is long and chosen and hidden.

> How do you suggest the user deals with
> this list?  Given that the average list has
> 100+ entries...

	Now, I have not see this.  The stock "ca-bundle" in Linux is about 60
certs (and some orgs have more than one cert).  Still, that's a lot of
certs and a lot of organizations to know who to trust and who to not and
most users are just not going to be troubled.

> What Amir and Ahmad are looking at is
> showing the CA as part of the trust equation
> when the user hits a site.  Some CAs will
> enter the user's consciousness via normal
> branding methods, and new ones will
> trigger care & caution.  Which is what
> we want - if something strange pops up,
> the user should take more care.

	How do you make it "strange enough" for them to give a flip when a
modal dialog box won't even do it?

> iang

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com  
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20050203/6bbaab36/attachment.pgp>

More information about the cryptography mailing list