On 13/08/13 08:44, Mikko Rantalainen wrote: > I cannot speak for Ian, but I'd guess "neutral" mode means something > along the lines "use encrypted connection but do not show any > additional 'secure' UI decorations". That would be suitable for cases > where site wants to protect the user input and site output but > there's no need to convince the user that the *site* is secure. Kind > of "this is normal content that just happens to be transferred over > secure link, allow all stuff that would be allowed if the host > document used HTTP connection".
http://www.gerv.net/security/self-signed-certs/ deals with some of the arguments usually raised in this regard. Implementing such a mode is not simple without ending up effectively implementing the "SSH model" of key continuity, the flaws in which are described in that paper. Say you have an HTTPS bookmark to your bank. You visit it (your techie friend told you "always use this bookmark for your bank, and you'll be safe"), and someone MITMs you using "neutral mode". Instead of the big warning you get now, you'd have to notice the sudden lack of secure indicators. Ideally, you would, but it's a much less obvious failure mode than the current warnings. Those who propose a "neutral mode" need to produce a proper, critique-able proposal which covers all of the cases like this. They'll find it's not as simple as it sounds. Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
