> Ian G wrote: >> As a consumer you want someone else to promise you >> it's safe. As a supplier, you would be utterly >> insane to do that, without doing a lot of acturial >> (insurance) calculations up front and taking twice >> the likely amount as a premium. > > I am not suggesting that we make any assurances that the CA is not > making; I am suggesting we more clearly represent the CAs position in > the UI. As you know, CAs take different positions on this issue.
Right. So there needs to be an easy way to show the CA / position. >> OK, but the chance goes down rapidly if it is a >> scam, and this applies both to Verisign's $1300 >> platinums as Dodgy Dan's $10 certs. The only >> determining factor is that a scammer won't bother >> spending $1300, but if you make that your measure, >> all historical evidence points out that you are >> going to be shocked ... > > The way to reduce phishing is to increase the cost of setting up a > phishing site, both in terms of cash and revealed info (pushing them > onto SSL, forcing them to reveal info) and decrease the value of the > site (OCSP). The closer you get the two average costs, the less phishing > there will be, because it will make the bad guys less money, and they'll > go back to shipping drugs instead. Something like that. The precise mix is open to question; what is clear is that we need to move the phisher to be forced to use SSL, and we need to show the user that the phisher has provided an SSL cert with some weaknesesses. Both of these mean that "providing transparent SSL protection" as is currently done are not going to help. >>> Actually, I think the CAs might have an answer to that question. >> >> They do. Put their logo on the chrome and let >> them beat each other up in the marketplace on >> the question of brand versus quality. > > Actually, I explained my point about logo confusion to a representative > of a big CA this week, and he agreed with me absolutely. But I agree > there's a spectrum of opinion here. Did he say that he didn't want his logo on the chrome? Or course he will agree about user confusion... Where before there was nothing (including security from phishing) and then there is something ... well, it stands to reason that there will be some confusion. My point is that this confusion is exactly the same sort of confusion that humanity has dealt with in the past and dominated. This is the sort of confusion that users brains are really wired for - recognising images and knowing when they don't recognise images. >> Try it! You'll get a bunch of different opinions >> on what to do and never get anywhere, would be my >> suggestion. > > I will try it. > >>> So (just to be clear) a corollary of this position is that we should >>> admit any root cert to the browser store without any sort of vetting >>> or checking. >> >> Yes, technically that is a corollary! I don't want to >> open old sores, but ...... Consider that the proposals >> and the way browsers work is that a dodgy cert or a >> bad CA or a low number of bits are all considered *worse* >> than unprotected HTTP (which is indeed much better for >> phishers) then, actually, accepting any root cert without >> vetting would be an improvement in security terms over >> totally unprotected HTTP. > > I agree that the issue outlined in the first half of the sentence needs > to be dealt with, but the second half is not a valid conclusion from that. Well, let's agree that it's a perverse conclusion; we really shouldn't need to make it at all. What needs to be recognised is that the way the browser treats a large class of certificate protected traffic as worse than open HTTP can only result in perverse results; e.g., phishing. >> To which you say, if you don't know who GeoTrust is, >> then you shouldn't risk your credit card. > > So she won't be buying much, then! Until she learns! Nobody forces her to shop. It's not our God given mission to make her buy those goods. GeoTrust on the other hand is going to spend some money advertising so that she does know who GeoTrust is, and then she will shop. Or not, in which case GeoTrust goes out of business. Not Mozilla's problem. Not the user's problem. > We're obviously going round in circles here. Time to stop, I think. I'm > getting dizzy. OK! iang _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
