Ian G wrote:
OK, I'll accept that. So your message for the "good" certs is what?
"If you put your CC number into here and get ripped off, it might be possible for you to find the guy who did it."
Just about. As a consumer, I'd be happier with that than "Hey, if you get ripped off, it's not our fault. No guarantees, see? You can just whistle for your money. We're not going to do anything to protect you."
So the honest truth is that with either cert it may be possible or it may not be possible to find the guy!
As a consumer you want someone else to promise you it's safe. As a supplier, you would be utterly insane to do that, without doing a lot of acturial (insurance) calculations up front and taking twice the likely amount as a premium.
Do you really want to tell people that you know that this particular cert is good for commerce?
I want to distinguish certs where there's a good chance of tracing back to a real person from certs where there's no chance, yes.
OK, but the chance goes down rapidly if it is a scam, and this applies both to Verisign's $1300 platinums as Dodgy Dan's $10 certs. The only determining factor is that a scammer won't bother spending $1300, but if you make that your measure, all historical evidence points out that you are going to be shocked ...
Um. Which still leaves the question of just who is doing all these things, and who it is that is sitting in judgement over these CAs and saying a) they are doing good enough verification, and b) I'm prepared to bet my users on it.
Actually, I think the CAs might have an answer to that question.
They do. Put their logo on the chrome and let them beat each other up in the marketplace on the question of brand versus quality.
One approach might be: "Hey guys, we're coming up with a way that lets you charge a lot more money for certs and differentiate yourselves in the market place. All you need to do is help us come up with some decent verification standards, set up an independent body to oversee them, and you can start charging $1000+ for certs. We'll do the UI and the PR push. How's that sound?"
Try it! You'll get a bunch of different opinions on what to do and never get anywhere, would be my suggestion.
So we should wash our hands of the whole issue and say "we're not going to say anything about security because you might sue us. You're on your own"?
Nope. We stop standing there and saying we are responsible.
I'm not saying we say we are responsible. We are just providing more information to help the user make the decision about whether to trust the connection with their CC number or not.
Perhaps "safe for commerce" was a bad choice of words. My actual current UI thought is a golden $ sign next to the lock.
Sure ... as long as the golden $ sign is in the CA's logo I'd be ecstatic ;-)
I really _must_ get around to writing up the four-level security UI idea properly.
Instead, we say, "we do browsers." And, we also say "CAs do certs, and here's the CA that's doing the cert today."
So (just to be clear) a corollary of this position is that we should admit any root cert to the browser store without any sort of vetting or checking.
Yes, technically that is a corollary! I don't want to open old sores, but ...... Consider that the proposals and the way browsers work is that a dodgy cert or a bad CA or a low number of bits are all considered *worse* than unprotected HTTP (which is indeed much better for phishers) then, actually, accepting any root cert without vetting would be an improvement in security terms over totally unprotected HTTP.
Right now, there's a popup for a dodgy cert. But there's no popup for unprotected HTTP! As a corollary, the security model for secure browsing is ludicrously unbalanced, and there is simply no point in vetting any CA when unprotected HTTP remains the best way to attack users.
What should happen is that there should be a graduated response for graduated improvements in security. A dodgy cert is always an improvement, albeit not much of one, as kid sister can't snoop. The same goes for the chinese proxy attack; it's still an improvement because only the chinese government can now attack you.
(But please don't take these statements of security fact to mean that I advocate abolishing certificates, the draft, white slavery and illegal liquor smuggling...)
Right. But Mozilla does browsers, it isn't the world's commerce policeman. The browsers are a tool for users, not their guardian angel.
So the default settings of Mozilla browsers should be to accept all cookies, even third party ones? We should remove the alert when you download an .exe saying "Be careful about this file - it could be dangerous."?
That depends. Making a judgement call on Exe files might be plausible if there are Exe specialists in the Mozilla and they take an expert judgement that this is a danger.
The question is, how many ecommerce specialists are there? How many liability specialists? Are there any people who know how to create and spot fraudulent IDs? These questions seem to be in the negative, if only because we've been raising these specialist questions on this list for over a year, and never has anyone popped up and said "I'm a specialist and what you say is wrong!"
(Well, that's not entirely true, David Ross I think was an auditing guy, right?)
The tool browses, and it provides forms. It gets numbers to the other side, sometimes even securely. What it doesn't say is where is a good place to do that with.
Oh, it does, even now. Ask an average web user what that lock means.
There's even research on that question! But, yes, you are right. The lock says something. My claim is that whatever it says, it's probably wrong and definately dangerous.
Are you planning to set up a really big table in your UI that lists all the CAs and whether they are "commerce rated" or not?
Yep, just about.
That would make you a super-CA.
Well, it would make whoever decided what that table said reasonably responsible. But it's about the same as the responsibility of admitting the cert in the first place.
No, if the cert domain name and the CA is put on the chrome, that's a very different statement, that's a statement of much more limited responsibility backed by cryptography and care taken with the chain of certificates.
What happens if they decide to issue an identity cert and a domain-control cert, under the same root?
See discussion in .crypto.
Please don't tell me you plan to drop their cert from your table ;-)
Why not actually read the discussion? :-)
You mean on mozille-crypto@ ? Well, you should give a reference. Crypto has thousands of posts, and I suspect I have read it, I might even have commented ;-)
Some CAs issue certs from different sub-roots; we may be able to include them and give them different levels of trust. Others, you'd pick the lowest trust value and use that. If they wanted better, they'd sort out their issuing policies.
Right. All of this is answered by putting the logo that goes with each different sub- root onto the chrome.
What happens if they convince you that it really is an identity cert, then wait until your UI is out there in its glorious millions, and then they switch to domain control? (Bait and switch, a favourite trick...)
Then we issue a security update either pulling their certs for bad faith, or changing the bits on it.
Ah. So everyone who is ripped off after that is ...
what? Out of luck?
They are in the same position as anyone who suffers loss of some sort after a security update because they hadn't patched. This isn't a browser-specific problem.
Except, the browser said that this cert was ok.
So the browser says, this cert is ok, as long as
- you have an up to date browser,
- you are running OCSP,
- the cert wasn't issued to a scammer who forged all the ID.
- the cert wasn't stolen,
- the cert wasn't issued by a CA in Klapistan where
the local gunrunner has a company called Amazon,
- ...The problem isn't that you can find enough cover for the statements, the problem is rather that there are so many excuses for the reality of the promise that the promise doesn't exist.
This is like CAs saying they will provide trust for your ecommerce, and then stating in their CPS or the cert itself that they accept no liability.
The *reality* is that the promise is worthless.
Or, it's worth a negative amount if whoever makes the promise ever gets called on it.
Has a legal action against you?
Well, does anyone rooted through an IE hole have a legal action against Microsoft?
Yes. In the past, software suppliers managed to work in a no-liability fashion. That's changing as we speak; I don't know if Microsoft is being sued on that point as yet, but I do know that class action attornies are musing on this, and there is a direct analogue where a bank is being sued for a virus-initiated transfer.
OK, what is the average half-life of an upgrade? That is, what is time for half the users to be upgraded once a security alert goes out?
For Microsoft it's measured in years... For Firefox, can we do better?
Again, not a browser-specific problem.
No, but a very important limitation on the value of the promise.
Or, here's the alternate. An injunction is filed in court preventing you from doing these things.
Are you suggesting a CA could file an injunction to prevent mozilla.org from removing their cert from the root cert store?
That is precisely what I am suggesting.
... If so, then it's a problem we have now anyway.
What it means is that removal of a CA is not something to be usefully relied upon at least until it has been tried.
(Consider that Verisign doesn't have a problem suing ICANN over various things....)
(Quick note, injunctions are normally granted.
So should I file an injunction to prevent you leaving your house? :-)
You could! But you would have to claim that I am intending or likely to take some action that would harm you :-) And then, if it were granted, I would then file an affidavit showing that this is unlikely because I don't know where you live.
(Quick addition: as far as I know it from my limited experience on the end of one, injunctions are rarely dropped, because they are intended to preserve the balance of power between the parties, and to refer the fight to the courts. However, if you were to file and make _material mis- representations_ then that is grounds for the dismissal of the injunction.)
Apart from the one where the user says "so, can I put my credit card into this page or not?"
Right. That ain't your problem.
If it isn't, whose is it? The user is staring at their screen. They have a browser UI, and a website they have to decide whether to put info into or not. So they can either look at the browser to decide, or the website content. Which is it? :-)
It's the user's problem! The user has always worked it out in the past. They will in the future. And they will even more when the browser helps them some more by providing some more information on the chrome.
merchant
i.e. the user should look at the site to assess its trustworthiness.
One way among many. Users do this all the time. Check it out, run some tests.
user
On what basis? That's the question we're asking!
It's their money. They are an authority on how they spend it.
CA
Er... that's what I'm arguing for. The browser UI would reflect the amount of verification the CA had done.
Yes. And the only way to do that is to put some graphical logo on the chrome that comes from the CA, and indicates a level of verification that each and every CA decides for themselves.
Mozilla cannot make that decision - only the CA can make any representation there.... What the browser can do is ensure that the logo really belongs to the CA.
credit card issuer
> bank
So the user should call their issuer or bank before using their card on the net?
Recall the list was about who was an authority.
So yes, the user could certainly call the bank about the question... Given that banks call users about dodgy credit card transactions all the time, then that's not as stupid as it sounds.
(See comments from Frank on credit card transactions.)
(See the emerging developments in centralised databases for anti-phishing.)
You are however an authority on browsers. You might be an authority on certificates. And SSL. You could stand in court or stand in front of destitute grandma and say:
"GeoTrust issued this cert to that domain"
And she says something like "Who?". Or "What you talkin' 'bout, boy?",
To which you say, if you don't know who GeoTrust is, then you shouldn't risk your credit card.
Don't buy from people you don't know, grandma!
or "Your UI said this site was secure! There was this little lock and everything!"
Yeah. The lock is dangerous!
or "But GeoTrust issue all sorts of certs, some of which are well verified and some of which are not. Which sort is this?"
Ah, well, stick the logo for that subroot up there, PLEASE!
iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
