#In viewing an e-mail this morning I received the following pop-up: # #"Revocation information for the security certificate for this site is not #available. #Do you want to proceed?" # #Not just once but for every URL embedded in the e-mail. # #Anybody want to put forward a conjecture about the response to this pop-up #across the population of e-mail users?
Naturally, users (or their support staff) will disable OCSP/CRL checking to make the pop-ups stop happening. Since that's not something that can be done on a granular basis, they'll disable it globally. After all, <sarcasm>that's something that doesn't really matter, right?</sarcasm> What a "terrific" way to get users to undermine their own security :-( In many ways this reminds me of the misreaction you sometimes see to S/MIME signed emails. Since many users don't use client certs, smime signature file attachments are often unrecognized and thus their purpose is not understood. At least at some sites, the reaction to an unknown potential threat may be reptilian: Smash/kill it! Operationally speaking, this may mean things like mod'ing MIMEDefang (or whatever folks are using to deal with genuinely dangerous attachments or genuinely dangerous HTML constructs) to now also eliminate the "threat" of those dastardly smime.p7s files. (just for the record, I'm not aware of ANY exploit that leverages smime.p7s files, is anyone else?) When smime.p7s files start getting stripped, there goes yet another potentially critical piece of security technology. Sigh. Joe _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
