[Cryptography] "Trust in digital certificate ecosystem eroding"
Jay Sulzberger
jays at panix.com
Sun May 3 16:38:06 EDT 2015
On Sun, 3 May 2015, John Levine <johnl at iecc.com> wrote:
>> It would take _considerable_ (re-)training of users to
>> actually take security warnings seriously, and to reduce the
>> number of false warnings.
>
> All the studies I've seen say that no amount of training will make
> users take security warnings seriously. Partly it's the number of
> false alarms, partly it's a not totally irrational tradeoff between
> the risk of what might happen and the desire to get their work done.
>
> If this stuff is going to work at all, it has to work automatically.
>
> R's,
> John
Yes.
It is not the users who have failed so far to properly pay
attention. The entire SSL system at the point of presentation to
an end user using a browser is nonsense. Free example: Suppose
my browser goes to a website. Suppose a "warning" pops up. Whom
do I contact to find out whether there really is a problem with
the chain of authenticatioon and/or the chain of authorization of
the perhaps bad certificate? I have never seen any trace of this
information presented to the user of the browser.
oo--JS.
More information about the cryptography
mailing list