PKI too confusing to prevent phishing, part 28

Amir Herzberg herzbea at
Mon Sep 26 02:53:59 EDT 2005

Is PKI the cause of this? I think not. This is a usability problem.

We try to fix this problem (and similar problems) with TrustBar. Indeed 
we even had incidents where people on the TrustBar team itself, and some 
security experts using TrustBar, thought there is a bug - why does 
TrustBar display `Bad Certificate` warning, when FireFox says the site 
is protected fine? But then we found out it was simply a self-signed 
site, or a site signed by a CA not in the list of the browser, or the 
most hard-for-users: a site with a certificate whose issuer is specified 
as Verisign (say), but with a wrong public key... this last one is 
really tricky; even expert users get confused in identifying this, even 
when using the certificate details dialogs (I checked for FireFox and IE).

There are many problems with PKI, and certainly with its implementation 
in browsers. But secure usability problems are worse. I think our 
community should try to be constructive. I definitely try myself, hence 
TrustBar. Please help me: try it and give me feedback, if you are a good 
programmer, lend a hand improving it; or find other ideas and implement 

Best, Amir Herzberg

Paul Hoffman wrote:
> <> 
> Summary: some phishes are going to SSL-secured sites that offer up their 
> own self-signed cert. Users see the warning and say "I've seen that 
> dialog box before, no problem", and accept the cert. From that point on, 
> the all-important lock is showing so they feel safe.
> Although the company reporting this, SurfControl, is known for alarmism, 
> this is a completely predictable situation. If users can hold one bit 
> and the bit is "look for the lock", then phishers will do anything to 
> get the lock up there.
> --Paul Hoffman, Director
> --VPN Consortium
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at
> .

Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
Try TrustBar - improved browser security UI:
Visit my Hall Of Shame of Unprotected Login pages:

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list