Doug Wright wrote:
Gerv suggested I post this here for discussion - copied from bug 288693
When visiting 'secure' sites that use outdated encryption,
Firefox/Thunderbird should give a big ugly warning about the dangers
of submitting information to this site.
Why not just put the number of crypto bits on the status
bar, next to the site name, CA name and padlock? Add a
few question marks if it's a nuisance:
www.weakling.com 512/40 ???? (by WeakCA)
www.strong.com 4096/256 (by StrongCA)
(Honestly, there's nothing
wrong with 512bit RSA keys; if there was an attacker on
this planet who was stupid enough to crunch a 512 bit key
just to get credit card info then I'd consider it a good
use of keys to keep him distracted; If he's that dumb, he
probably won't think of hacking the server to download the
10,000 credit cards from the database, and his live attacks
on the traffic will discover him eventually.)
(On the other hand, it was explained here on this list a
few months back that SSL2 is a serious pita. If there was
a way of annoying the user about *that* then that would
help everyone.)
For reference: the latest Opera 8 beta does this and displays the message
'This site is using an outdated encryption method currently classified
as insecure. It cannot sufficiently protect sensitive data. Do you
wish to continue?'
In Opera, the message must be OKed/cancelled *before the site is even
rendered*
Heavens above! I wonder what they are going to do when
an unprotected HTML site asks for a credit card number?
Self destruct? Launch an SS18?
My personal preference would be a dialog with a delayed OK button
(like XPInstall) to force people to read it.
(http://my.opera.com/forums/showthread.php?s=b9954ef796e4d661961e2af3d9b567db&threadid=85778
It's 2005. The threat to your credit cards is in the
server, in your PC, and in your mail box. It isn't on
the wire.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
