On 4-Mar-09, at 8:36 AM, Boris Zbarsky wrote:
Florian Weimer wrote:
Most users are not subject to MITM attacks
This may or may not be true given the prevalence of wireless
networks out there... we've had a number of reports of in-the-wild
MITM attacks by wireless network operators.
but they do receive all kinds of URL lures.
Yes, most of these are trying to phish sites that are normally SSL,
so we should be making it very easy to tell when a site is not SSL
or doesn't have the expected hostname over SSL. Making non-SSL
sites look more like SSL ones even by similarly highlighting the
hostname is asking for trouble.
I haven't chimed in much here yet, but suffice it to say that I agree
with everything Boris is saying. I have very little appetite for
calling out domains (or other url components) on http connections as a
way to provide *security* context, because that context is illusory.
As Jean-Marc has pointed out - there's value in thinking about whether
and how we want to encourage the broader use of SSL. So far the
changes we have made in terms of security UI have been aimed at
teasing apart the promises that various deployment methods actually
make. For EV, we give extra visibility to organization name because
it's the most consumable piece of information, for DV we emphasize the
domain name (to greater or lesser extents depending on the state of
debate over browser.identity.ssl_domain_display). For invalid or self-
signed certs, we make a pretty visibly big deal about the fact that
you're not getting the security you might think, since your "safe from
eavesdropper" communications might well be going TO the eavesdroppers.
I don't think we should labour under the illusion that better SSL UI
will prevent phishing, though. Certainly, for proactive and observant
users, who attend to the indicators we put in chrome, it will help.
Certainly there's *some* value in making those indicators easier to
understand, so that more users might find them helpful. But phishing
by and large continues not to use SSL which is why we include things
like an anti-phishing, anti-malware filter as well. It's great that
our error pages were so daunting that Moxie went to significant
lengths to avoid them, but the most I think a phisher is likely to do
to "synthesize" security indicators is the lock-as-favicon trick.
Which is precisely why we have moved away from using a padlock in the
location bar as a sign of security: no website can spoof the EV
appearance of the site identity button and, with the
ssl_domain_display pref set to non-zero, (and appropriate care given
to IDN issues), they can't for regular SSL either.
Cheers,
J
---
Johnathan Nightingale
Human Shield
[email protected]
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
