[Cryptography] "Trust in digital certificate ecosystem eroding"

[Carl Wallace]

On 5/3/15, 10:35 AM, "Michael Kjörling" <michael at kjorling.se> wrote:

>On 2 May 2015 10:00 +0100, from hyc at symas.com (Howard Chu):
>> I would start by shipping all the currently bundled CAs in disabled
>> state. Every time you hit a new web site, prompt for whether to
>> trust it's chain or not, and also display a counter of how many
>> times you have trusted a site using this CA. I.e., I want to know
>> how many of the thousands of CAs being shipped are actually useful
>> in my own browsing patterns. The rest have no business being enabled
>> in the first place.
>
>The problem with this is (and many other approaches that burden end
>users with security-critical decisions) that the vast majority of
>users simply want to proceed to www.funnymovieswithcutekittens.com or
>whatever other site they were trying to get to. So they will click
>"proceed" or whatever the button is labelled, all the while thinking
>"why are you bugging me? just get out of my way, computer!".

A user is likely to know when they are clicking around sites like
www.funnymovieswithcutekitten.com and when they are banking, or checking
medical records, or shopping, etc. A part of the problem is the attempt to
try to provide a single solution for all cases. Enabling a user to change
their posture to align with what they are doing may help.

>