On Tue, Dec 30, 2008 at 1:04 PM, Florian Weimer <f...@deneb.enyo.de> wrote: > BCP 38 requires that active MITM attacks don't work on LANs. LANs > which violate that and are under attack are typically not very usable: > Search engines blocks you due to automated queries, DHCP and DNS > delivers data which is not 100% accurate (with unknown consequences), > you receive even more web ads than usual, rogue PPPoE servers sniff > your credentials, and so on.
I'll point out that at least one of the cases which Mozilla is using as its standard for the security UI involved a user who was subject to an active MITM attack while connected to a public wireless hotspot. BCPs do NOT mandate anything. They are "best current practices", and it's a fact that they can be ignored by anyone for any time for any reason (they are advisory, but local policy can and will often override them). > In short, I don't think this is the use case to optimize for. I think this is important to realize: security is not an all-or-nothing thing. Anyone who puts all of their eggs in one basket (a single thick wall, or a moat -- or, as was found in the late 90s, a firewall) is going to be unpleasantly surprised when the security of their supposedly-impregnable defense is breached and they have no mitigation plan. We NEED to optimize for this case. (note: "unknown_issuer" without talking at all about who the issuer claims to be -- and being able to download a certificate and then accept it without having to see who it's issued by -- is a "WTF WAS THE SECURITY TEAM THINK--WAIT, WAS THE SECURITY TEAM THINKING??!!!!" situation. It failed to mitigate against the attack that Nelson cites, bug 460374.) -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto