[Cryptography] "Trust in digital certificate ecosystem eroding"

Michael Kjörling michael at kjorling.se
Sun May 3 10:35:05 EDT 2015

On 2 May 2015 10:00 +0100, from hyc at symas.com (Howard Chu):
> I would start by shipping all the currently bundled CAs in disabled
> state. Every time you hit a new web site, prompt for whether to
> trust it's chain or not, and also display a counter of how many
> times you have trusted a site using this CA. I.e., I want to know
> how many of the thousands of CAs being shipped are actually useful
> in my own browsing patterns. The rest have no business being enabled
> in the first place.

The problem with this is (and many other approaches that burden end
users with security-critical decisions) that the vast majority of
users simply want to proceed to www.funnymovieswithcutekittens.com or
whatever other site they were trying to get to. So they will click
"proceed" or whatever the button is labelled, all the while thinking
"why are you bugging me? just get out of my way, computer!".

And how likely is the average user to make a correct judgment if, say,
the CA for the web site for their bank (the certificate for which they
accepted God knows when way back) changes from, say, "VeriSign, Inc."
to "ValiCert, Inc.", or even "VISA"? Just look at how many end-users
fall for even the worst examples of impersonating various banks and
large companies in spam email.

It would take _considerable_ (re-)training of users to actually take
security warnings seriously, and to reduce the number of false
warnings. I run the Certificate Patrol add-on for Firefox myself, to
catch instances of sites changing certificates unexpectedly, and I
probably get literally _several popups a day_ saying that a site has
changed its certificate unexpectedly. Often even not about the site I
am actively visiting, but some third party site. (And I don't lurk in
many of the dark back alleys of the Internet.) I consider myself
reasonably technically adept, both as far as computers _and_
cryptography goes, and I sometimes have difficulty judging how to
respond to those popups. How would a regular user react, and how would
they come to a decision about whether to accept or reject the new

Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)

More information about the cryptography mailing list