Gervase Markham wrote:
To be safe, the user must verify that
SSL is enabled and that the displayed domain name exactly matches the
expected domain name (which implies that the user has also discovered
and memorized the correct domain name).
I don't think that's particularly unreasonable. What's the domain name
of your bank? PayPal? Ebay?
Really! What about my citybank incident? Or... just go to Citybank.com
(no typo this time) and see what is the domain they use for home
banking... And they are not unique, there are many such FIs using
various, unrecognizable domain name, including CitiBank, and some that
use domain belonging to other corporations, including e.g. BoA.
Any site with which the user has a relationship involving money will
have been visited by them several times, and they will know what the
indicator is supposed to look like.
Seriously, you expect users to even look at URL? Notice a difference?
I'm not arguing the current UI is perfect, but I think you are
dismissing it too readily.
Gerv, really, this is common sense, and I present some usability data
proving this in my paper. Users don't dig URLs!
This is a straw man. We are not "blaming the customer". Having said
that, it's hard to protect a user who is happy to type their CC number
into any form which asks for it.
Funny... the CC# is in fact one of the least sensitive items for a
consumer, we give it to every cafe, why not to every website? There, at
least, the law protects the consumer. Banks don't think this is the case
with e-banking. Although, at least for banks which do not use SSL to
authenticate the login page, I think there is a possible claim of
negligence / failure to maintain duty of care. But this need to be
evaluated legally, of course, I can't be sure yet (trying to get this
resolved).
Best, Amir Herzberg
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
