Can you help develop crypto anti-spoofing/phishing tool ?
Amir Herzberg
herzbea at macs.biu.ac.il
Sun Feb 6 08:34:20 EST 2005
Ed Gerck responded to me:
>> We develop TrustBar, a simple extension to FireFox (& Mozilla), that
>> displays the name and logo of SSL protected sites, as well as of the
>> CA (so users can notice the use of untrusted CA). I think it is fair
>> to say that this extension fixes some glitches in the deployment of
>> SSL/TLS, i.e. in the most important practical cryptographic solution.
>
> Yes, because it makes the user notice what CAs the _browser_ has
> decided the user _automatically_ accepts [1]. But there is a caveat. Can
> you trust what trustbar shows you?
This trust translates to:
-- Trusting the TrustBar code (which is open source so can be validated
by tech-savvy users / sys-admin)
-- Trusting that this code was not modified (same as for any other
aspect of your machine)
-- Trusting the CA - well, not exactly; TrustBar allows users to specify
for each CA whether the user is willing to display logos/names from this
CA automatically, or wants to be asked for each new site. Only if the
user selects `display logo/name automatically`, then he really trusts
the CA in this regard, and still the brand (logo) of the CA appears (for
accountability). I'll admit, though, that currently VeriSign is
`trusted` in this respect by default (of course user can chnage this
easily).
> And, of course, knowing what CA
> is being used is also possible without trustbar but requires a couple
> mouseclicks. Wouldn't it be better if Firefox/Mozilla simply
> put the name of the CA next to the lock icon?
I don't think this is enough:
a) not visible enough
b) not clear enough (what this means)
c) does not allow user to distinguish between different companies with
cert from the same CA (i.e. you lose the identification of the site by
name/logo and resort back to the SSL `identify by URL` which is too
complex for naive users).
Thanks (also for the URL)! Amir Herzberg
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list