PKI too confusing to prevent phishing, part 28
Amir Herzberg
herzbea at macs.biu.ac.il
Mon Sep 26 02:53:59 EDT 2005
Is PKI the cause of this? I think not. This is a usability problem.
We try to fix this problem (and similar problems) with TrustBar. Indeed
we even had incidents where people on the TrustBar team itself, and some
security experts using TrustBar, thought there is a bug - why does
TrustBar display `Bad Certificate` warning, when FireFox says the site
is protected fine? But then we found out it was simply a self-signed
site, or a site signed by a CA not in the list of the browser, or the
most hard-for-users: a site with a certificate whose issuer is specified
as Verisign (say), but with a wrong public key... this last one is
really tricky; even expert users get confused in identifying this, even
when using the certificate details dialogs (I checked for FireFox and IE).
There are many problems with PKI, and certainly with its implementation
in browsers. But secure usability problems are worse. I think our
community should try to be constructive. I definitely try myself, hence
TrustBar. Please help me: try it and give me feedback, if you are a good
programmer, lend a hand improving it; or find other ideas and implement
them.
Best, Amir Herzberg
Paul Hoffman wrote:
> <http://www.informationweek.com/story/showArticle.jhtml?articleID=171200010>
>
>
> Summary: some phishes are going to SSL-secured sites that offer up their
> own self-signed cert. Users see the warning and say "I've seen that
> dialog box before, no problem", and accept the cert. From that point on,
> the all-important lock is showing so they feel safe.
>
> Although the company reporting this, SurfControl, is known for alarmism,
> this is a completely predictable situation. If users can hold one bit
> and the bit is "look for the lock", then phishers will do anything to
> get the lock up there.
>
> --Paul Hoffman, Director
> --VPN Consortium
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>
> .
>
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI:
http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list