On 6/18/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote: > I think a fourth point is required as well: > > 4. No (or minimal) input from user. > > Current SSL system generally requires no input from user (exceptions are > when some problem with the certificate the server presents).
The above statement is incorrect and is a primary factor underlying the current phishing problem. The current SSL UI requires substantial user input on every site visit. To be safe, the user must verify that SSL is enabled and that the displayed domain name exactly matches the expected domain name (which implies that the user has also discovered and memorized the correct domain name). This is way too much effort to ask of the user, especially since the task must be repeated for every single site visit. The consequence is that typical users don't do this work and so are vulnerable to phishing attacks. The current SSL UI may initially give the impression of not requiring any user effort, since all the burden is placed on the user's mind, instead of the user's fingers, but this first impression is gravely mistaken. As long as we fail to account for the mental burden a design places on the user, we will fail to understand or solve the phishing problem. I think it's also important that we move beyond the "blame the customer" phase of this failure. Phishing occurs not because the user is lazy and stupid, but because the current SSL UI is lazy and stupid. The current SSL UI just blindly displays whatever the attacker asks and punts to the user for the work of recognizing the site and putting it in context. It's a 1.0 release design that was never followed up on. We're paying the price for this design laziness now. Phishing is our fault, not the user's. Until we accept this, we will fail to understand or solve the phishing problem. > petname is > an example where input is required for every SSL-enabled site the user > visits more than once. This statement is also false. The petname tool requires user input for each SSL site the user forms a trust relationship with. If there is nothing to protect, the petname tool requires no effort. If there is something worth protecting, the petname tool requires a small initial effort and in return provides strong protection and greater ease of use for subsequent visits. That sounds like a good deal to me. Tyler -- The web-calculus is the union of REST and capability-based security: http://www.waterken.com/dev/Web/ _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
