[Cryptography] Explaining PK to grandma
Jerry Leichter
leichter at lrw.com
Tue Nov 26 23:01:36 EST 2013
On Nov 26, 2013, at 9:15 PM, James A. Donald wrote:
> People are still astonished that the from field is easily forgeable. My sister is an intelligent woman, and still tends to trust the from field, even though I showed her how I could easily send her emails with any from field that I liked.
Email isn't the only thing with this unfortunate property. I had a long argument with a security expert about what you can trust on a Web page. Basically, his assertion was that the contents of the browser address bar were the only thing at all trustworthy, and only under appropriate circumstances. Everything else could be faked. Wherever you *think* a link goes, the only way to know for use is to click on it and see what shows up in the browser bar.
He's right on the facts, but refuses to focus on the implications of this model we've built. Users don't *look* at the contents of browser address bars. Why should they? It has nothing to do with what they are using the browser *for*.
While it may be true that you can't really trust any link embedded in a page to go where it seems to go - you can only click on it and see what ends up in the address bar - in world of drive-by attacks, where simply opening a page may lead to your machine being infected, this model is insane. If people really internalized just how bad things are, it's not clear they'd be willing to use the Web.
-- Jerry
More information about the cryptography
mailing list