Ram A M wrote: <a lot of good sense>
I agree with most of the things you say, and your analysis. Some comments:
As the
value of having SSL certificates warrants the effort to attack the
vetting process the criminals will do so and they will likely attack
the weakest process first [an interesting exception to this is
publicity stunts where the best known brand is the shiniest target]. I
expect some CAs will back off of trying to do identity authentication
while others will stick with it and will compete on authentication
quality as well as price and brand recognition;
Indeed. I see two fundamental camps here - tie-it-back-to-a-person/business and not. And I think the browser UI should reflect that rather than a particular CA.
One reason for this is that the security UI should be stable - any change in it should be a cause for concern. If you add the CA name/logo to the UI, a change from possibly-dodgy-CA to better-CA on a site is a good thing, a positive security measure, whereas the opposite change is a bad thing, and sign of a possible phishing attack. All consumers would need to know the brand and trust levels of the 100+ CAs in the database for this to work.
Of course, we might be able to make it work by reducing the number of CAs to (say) 8...
this is an area where the browser providers can force the issue a bit by enabling this feedback loop especially by exposing the site's identity and the CA who did the authentication, but even without effort by the browser providers the press will pick this up once as it becomes a more practical concern.
Perhaps. The level of brand awareness required for this feedback mechanism to work is that a person must visit https://www.gap.com, realise it's secured by Foo CA, know that Foo CA has issued the odd dodgy cert, and then go and shop at https://www.sears.com instead. I'm sceptical that CA brands will ever achieve that level of brand awareness that overrides the often million-dollar-backed brand awareness of companies.
I must admit that being in this industry for a while I am probably a bit more cautious that most but I will not pass my credit card information to a web-site that doesn't use SSL style authentication including a certificate that identifies them.
But, as GeoTrust have pointed out, that information can easily be bogus. So even you are at risk, never mind all those people who don't even look at it.
Gerv _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
