On 6/19/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote: > Tyler Close wrote: > > No, the current SSL UI is *never* easy to use. I challenge you to > > provide even a single counter-example. > > Ok, for example if you always type the URL to go to your bank's SSL > site, or use a bookmark.
The user could mistype the URL. To take a recent example, it appears Amir, a security researcher, mistakenly typed in citybank.com, instead of citibank.com. Similar things happen with all sorts of domain names. On Friday, I mistakenly typed in planetlab.org instead of planet-lab.org. On multiple occasions, I have SSHed to sourceforget.net, instead of sourceforge.net. If the attacker takes over my DNS server, or gets me to connect to the wrong DNS server, he can direct me to whatever site he likes. Obviously, this kind of pharming attack also works against bookmarks. Humans just have a lot of difficulty with a tightly packed, shared namespace. These difficulties can be exploited on either input or output of names. The current SSL UI just isn't very forgiving or accomodating of human foilbles. Tyler -- The web-calculus is the union of REST and capability-based security: http://www.waterken.com/dev/Web/ _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security