Citibank discloses private information to improve security
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu Jun 2 06:29:58 EDT 2005
"Heyman, Michael" <Michael.Heyman at sparta.com> writes:
>The false positive I was referring to is the "something is telling me
>something unimportant" positive. I didn't mean to infer that the users
>likely went through a thought process centered around the possible causes of
>the certificate failure, specifically the likelihood of an active man-in-the-
>middle vs. software bug, vs. setup error, vs. etc..
Oh, I see. So we were actually in violent agreement :-).
>I've probably seen hundreds of signature validation warnings from various
>web-sites for certificates and Active-X and possibly other signed content. I
>can't recall needing to heed even one of the warnings. We are trying to
>detect man-in-the-middle or outright spoofing with signatures and our false
>positive rate is through the roof. The false positive rate must be zero or
>nearly zero to work as a useful detector in real world situations.
It's not just passive false-positive acceptance, users are actively encouraged
by software vendors to accept verification-failed content. For example every
other hardware device you install, as part of it's connect-the-dots sequence
of screen shots in the install guide, shows a shot of some sort of signature-
warning dialog, along with an arrow pointing to the "Ignore this warning"
button to click and text telling users to, well, do what the button says. Even
things like WHQL-certified drivers, which should have all the correct
credentials, end up being installed in non-certified ways because the vendors
submit a safe-but-slow configuration to get certified and then ship the
unsafe-but-fast one to be installed (this is standard practice for any
hardware where performance is the main selling point, i.e. video drivers, RAID
drivers, network drivers, etc etc). Alternatively, the latest bugfix drivers
are several steps ahead of the certified WHQL'd ones, so you get the same
thing.
For non-Windows users who haven't seen this sort of user-conditioning in
documentation, here's the first half-dozen online examples of this (to save me
having to scan install guides to demonstrate it):
http://www.msha.gov/TECHSUPP/ACC/shortcircuit/install.htm
http://support.academic.com/knowbase/root/public/acdm9103.htm
http://mail.regent-college.edu/wireless/printer/w98/
http://home.cfl.rr.com/dogone/Download.htm
http://129.171.91.6/firewall/InstallConfig/msie_instruction.cfm
http://www.rochester.edu/its/wireless/win_IE_certificate.html
Note also that the warnings for valid and invalid signed content are extremely
similar, and both contain lots of text, jargon, and incomprehensible (to the
average user) information. Both in effect state "Mumble mutter fnord fnord,
do you want to go ahead", with the fnord-level for the valid-signature dialog
being at least as high as the invalid-signature one. It'd be interesting to
see if users can tell the difference between the two.
This one is particularly cool: "Don't get worried by the JPilot Security
Warning! Just click "YES" to install & run applet. If you don't, you can't
chat!":
http://mc2.vicnet.net.au/help/chathelp.html
(Don't worry about those nasty warnings, just close your eyes and click your
heels tog^H^H^H^Hclick OK).
Just to show that it's not just ActiveX signing under Windows that's training
users in this manner, here's a Unix one too:
http://apps.cybersource.com/library/documentation/dev_guides/Microsoft_Commerce_Server_2002/html/install.htm
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list