once more, with feeling.
Paul Hoffman
paul.hoffman at vpnc.org
Mon Sep 8 13:33:11 EDT 2008
At 4:16 PM +0100 9/8/08, Darren J Moffat wrote:
>Hopefully this is interesting enough to get forwarded on...
Ditto. :-)
>Warnings aren't enough in this context [ whey already exists ] the
>only thing that will work is stopping the page being seen -
>replacing it with a clearly worded explanation with *no* way to pass
>through and render the page (okay maybe with a debug build of the
>browser but not in the shipped product).
It depends on how we think change can be achieved. Until now, people
designing pages using bad security practices balanced their laziness
with the fact that their content would be displayed anyway so
whatever. You are proposing moving to the other extreme. Given how
easy your solution would be for browser vendors to implement, we have
to assume that they have considered it and rejected it.
A less extreme solution would be to make the warning the user sees on
a mixed-content page more insulting to the bank. "This page contains
both encrypted and non-encrypted content and is inherently insecure.
The owner of this web site has clearly made a very poor security
decision in showing this page to you. It is likely that other pages
on this site also have similarly poor security. Knowing this, do you
wish to continue anyway?"
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list