Can you help develop crypto anti-spoofing/phishing tool ?

Amir Herzberg herzbea at macs.biu.ac.il
Sun Feb 6 08:34:20 EST 2005 

Ed Gerck responded to me:
>> We develop TrustBar, a simple extension to FireFox (& Mozilla), that 
>> displays the name and logo of SSL protected sites, as well as of the 
>> CA (so users can notice the use of untrusted CA). I think it is fair 
>> to say that this extension fixes some glitches in the deployment of 
>> SSL/TLS, i.e. in the most important practical cryptographic solution.
> 
> Yes, because it makes the user notice what CAs the _browser_ has
> decided the user _automatically_ accepts [1]. But there is a caveat. Can
> you trust what trustbar shows you? 
This trust translates to:
-- Trusting the TrustBar code (which is open source so can be validated 
by tech-savvy users / sys-admin)
-- Trusting that this code was not modified (same as for any other 
aspect of your machine)
-- Trusting the CA - well, not exactly; TrustBar allows users to specify 
for each CA whether the user is willing to display logos/names from this 
CA automatically, or wants to be asked for each new site. Only if the 
user selects `display logo/name automatically`, then he really trusts 
the CA in this regard, and still the brand (logo) of the CA appears (for 
accountability). I'll admit, though, that currently VeriSign is 
`trusted` in this respect by default (of course user can chnage this 
easily).

> And, of course, knowing what CA
> is being used is also possible without trustbar but requires a couple
> mouseclicks. Wouldn't it be better if Firefox/Mozilla simply
> put the name of the CA next to the lock icon?
I don't think this is enough:
a) not visible enough
b) not clear enough (what this means)
c) does not allow user to distinguish between different companies with 
cert from the same CA (i.e. you lose the identification of the site by 
name/logo and resort back to the SSL `identify by URL` which is too 
complex for naive users).

Thanks (also for the URL)! Amir Herzberg

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list