Duane wrote:
Ian G wrote:
Peng wrote:
That may instead annoy them sufficiently that they switch back to IE,
if they need to visit the site a lot. Personally, I didn't used to
think to contact a website if there was a problem. I just ignored it
or went to another website or spoofed my user agent or something.
Putting up a number in the status bar should be sufficient.
If you want to go over the top and actually warn the user
that 40 bit crypto is less than optimal, then put up one
of those red bars with the little X on it. Popups should
only be used for things that demand attention, and 40 bits
is 40 bits better than 0 bits, so no attention is needed
for infinitely preferable security.
Gervase pointed out that using absolute numbers could be a bad thing, as
you'd have to keep training users when a new standard was made, so why
not use percentages instead...
If you wanted to use numbers, then the cryptographic
reference is the paper by Lenstra and Verheul, and
supporting docs. Those guys have thought about what
the numbers mean, and even though they admit that the
assumptions are arbitrary, they have got a relatively
consistent framework.
As the numbers change, unless you want to select a
Pareto-secure set and stick to it, you are far better
off just sticking the number there and explaining on
the web site what it means. Arguments about 40 bit
this and 56 bit that go round and round forever,
because there is no strong basis for them in browser
work.
iang
Ref: http://iang.org/papers/pareto_secure.html
which includes the references to Lenstra and Verheul.
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
