Ryan,
On 12/31/2012 11:43, Ryan Sleevi wrote:
So far, the two proposals are:
1) Nag the user whenever they want to make a new secure connection. This
nag screen is not shown over HTTP, so clearly, HTTP is preferable here.
2) Respect national borders on the Internet.
If anything, the more user interaction, even once, of a technically
complex nature, is enough to disincentivize any site operator from using
SSL. "Oh, my Firefox users are going to see a prompt? I don't want to send
them to SSL then, because they'll complain / it will be a lost sale."
Indeed. If we want to educate any users, it should be about not
submitting things over plaintext connections
Once upon a time, Mozilla and Firefox had a warning for submitting data
over plain insecure HTTP.
There isn't even UI to this warning on now.
I had to manually go to about:config to turn it back on yesterday, sigh.
This warning still comes with a checkbox to deactivate it also, which it
shouldn't, I don't want it to ever turn it off again.
I don't believe there is any hope we can educate users about security
through pop-up dialogs.
If we want better security, I would suggest some kind of global
high-security mode of operation where all those warnings would be
enabled and could not be turned off.
And maybe even make the users solve some CAPTCHA to get past the warning
for insecure submit, to ensure that users are really reading it. No
ability to just blindly or accidentally hit ENTER and submit insecurely.
Even once is enough. Otherwise, why would sites even bother getting a CA
certificate, since they can already condition users to 'pin' to their
self-signed cert by virtue of clicking through.
Right, IMO the CA trust selection should not happen at connection time.
It should happen before. Maybe when one chooses to turn on this "high
security mode" , they would be presented with the CA list.
And maybe they could be grouped by various categories, such as EV/non-EV
certificates, country of operation, etc. And the user would be able to
choose which CAs to distrust from the built-in list.
There are far too many built-in CAs as it is IMO for it to be practical
for anyone to deselect them on a one-off basis.
If the goal is to reduce power or risk, then something like Certificate
Transparency should be the game. Having transparent reports of issuance
and the ability to monitor for misissuance should be the end goal -
whether you're operating a CA that serves 50 domains or 500 million
domains. It's highly elitist to suggest those 500 million are worth more
than those 50 - especially if real users' lives are at risk for those 50
domains.
The problem is that a root CA doesn't necessarily know how many certs
are chaining back to it. It's up to the intermediates to issue the final
certs.
If an intermediate got compromised, it could well issue 50 million bogus
certs without the root knowing until it's exposed.
Certificate transparency may require some new infrastructure to
dynamically discover the cert hierarchy.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
