Client Certificate UI for Chrome?

James A. Donald jamesd at
Wed Sep 9 01:42:34 EDT 2009

Steven Bellovin wrote:
> Several other people made similar suggestions.  They all boil down to 
> the same thing, IMO -- assume that the user will recognize something 
> distinctive or know to do something special for special sites like 
> banks. 

Not if he only does it for special sites like banks, but if "something 
special" is pretty widely used, he will notice when things are different.

> Peter, I'm not sure what you mean by "good enough to satisfy security 
> geeks" vs. "good enough for most purposes".  I'm not looking for 
> theoretically good enough, for any value of "theory"; my metric -- as a 
> card-carrying security geek -- is precisely "good enough for most 
> purposes".  A review of user studies of many different distinctive 
> markers, from yellow URL bars to green partial-URL bars to special 
> pictures to you-name-it shows that users either never notice the 
> *absence* of the distinctive feature

I never thought that funny colored url bars for banks would help, and 
ridiculed that suggestion when it was first made, and said it was merely 
an effort to get more money for CAs, and not a serious security proposal

The fact that obviously stupid and ineffectual methods have failed is 
not evidence that better methods would also fail.

Seems to me that you are making the argument "We have tried everything 
that might increase CA revenues, and none of it has improved user 
security, so obviously user security cannot be improved."

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list