Citibank discloses private information to improve security

[Heyman, Michael]

> From: owner-cryptography at metzdowd.com 
> [mailto:owner-cryptography at metzdowd.com] On Behalf Of Peter Gutmann
> Sent: Tuesday, May 31, 2005 1:29 PM
> 
> >In this situation, I believe that the users, through hard won 
> >experience with computers, _correctly_ assumed this was a 
> >false positive.
>
> Probably not.
> [SNIP text on user's thoughts on warning dialogs]

The false positive I was referring to is the "something is telling me
something unimportant" positive. I didn't mean to infer that the users
likely went through a thought process centered around the possible
causes of the certificate failure, specifically the likelihood of an
active man-in-the-middle vs. software bug, vs. setup error, vs. etc..

So, when the box popped up, in the "unimportant" vs. "important" choice
that the users went through, they correctly chose "unimportant". These
warning dialogs pop up regularly and usually they are crying wolf.

I've probably seen hundreds of signature validation warnings from
various web-sites for certificates and Active-X and possibly other
signed content. I can't recall needing to heed even one of the warnings.
We are trying to detect man-in-the-middle or outright spoofing with
signatures and our false positive rate is through the roof. The false
positive rate must be zero or nearly zero to work as a useful detector
in real world situations.

Defense in depth can help against spoofing - this includes valid
certificates, personalization (even if it is the less-than-optimal
Citibank-like solution), PetName, etc. Man-in-the-middle is harder given
that we have such a high false positive rate on our best weapon.

-Michael

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com