Re: Strawman proposal for SSL UI changes

[Gervase Markham]

Ian G wrote:
It's an americanism as far as I know.  You sometimes
see it in the Caribbean, but that would be a sign
that they were trying to appeal to americans, which
is actually a red flag (probably a scam).
I was making the general point - company names are not unique, and CAs 
don't attempt to enforce uniqueness.

Gerv
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Gervase Markham]

Ram A M wrote:
1 One vector site-spoof attacks rely on is hiding the true domain name.
True - so users should make sure they are certain of the true domain 
before interacting with a site. If they can't be sure, they shouldn't 
interact with it.

Currently, of course, if the connection isn't over SSL, _we_ can't be 
sure that they are connected to a particular domain. And if the browser 
can't be sure, the user certainly can't.

How about if the address bar by default showsonly the domain-name and
the user can change that to be the current behavior. Further the domain
name only appears in the status-bar when TLS is in use and the domain
name of the site is in the certificate?
While we might do the address bar differently if we were starting 
browser design again, I think I can fairly safely say that changing the 
way it works now is a non-starter from a usability point of view. It 
would be too confusing for users.

Regardingthe value of showing the organization name and country. I say
it's hard to know if subbrand.sometld is really owned and operated by
mega-product company. Showing the domain name to the user does not
address this. 
That's the first good argument I've heard for this change. :-)
Showing the name of the company may. Showing
firstbankofsomewhere.sometld is not as reliable as showing First
Bank of Somewhere as the organization name. 
I note your example includes a geographical location; not many business 
names do. How many First Banks are there around the world?

This is especially true
when certificates are issued to enrollees who demonstrate control of a
domain at most.
We need to deal with that particular issue a different way, IMO.
Gerv
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Ian G]

Gervase Markham wrote:
Ram A M wrote:

Showing the name of the company may. Showing
firstbankofsomewhere.sometld is not as reliable as showing First
Bank of Somewhere as the organization name. 

I note your example includes a geographical location; not many business 
names do. How many First Banks are there around the world?

It's an americanism as far as I know.  You sometimes
see it in the Caribbean, but that would be a sign
that they were trying to appeal to americans, which
is actually a red flag (probably a scam).
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Benjamin D. Smedberg]

Gervase Markham wrote:
The chances of this sort of change to the address bar are near-zero. But 
have you seen the new domain indicator in Firefox 1.0 and above?
What new domain indicator?
--BDS
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Ian G]

Benjamin D. Smedberg wrote:
Gervase Markham wrote:
The chances of this sort of change to the address bar are near-zero. 
But have you seen the new domain indicator in Firefox 1.0 and above?

What new domain indicator?

In Firefox 1.0, when the SSL connection is established
without any problems, Firefox puts the domain name from
the cert in the bottom right of the status bar (great!).
It also colours the URL bar at the top yellow (nice!).
It's a great start.  (more! more!)
As an example of great experimentation the Firefox guys
also added another padlock inside the the URL bar on the
right hand side.  Unfortunately, by means of a cunning
technology called favicons, one can also have ones own
padlock on the left hand side:
http://www.pgp.com/
But every little experiment helps!
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Ram A M]

Regarding the domain indicator - I assume you mean the one that appears
adjacent to the padlock. I think that's great. However I'll give you
two reasons to allways display the the domain name.

1 One vector site-spoof attacks rely on is hiding the true domain name.

2 How many users look at the address bar all loaded up and say - umm
yeah I'm not a programmer, why are they showing me this nonsense. If
screen-space is so valuable (AND IT IS!!) then we might as well get rid
of stuff that doesn't help people, at least in the default setting.

How about if the address bar by default showsonly the domain-name and
the user can change that to be the current behavior. Further the domain
name only appears in the status-bar when TLS is in use and the domain
name of the site is in the certificate?

Regardingthe value of showing the organization name and country. I say
it's hard to know if subbrand.sometld is really owned and operated by
mega-product company. Showing the domain name to the user does not
address this. Showing the name of the company may. Showing
firstbankofsomewhere.sometld is not as reliable as showing First
Bank of Somewhere as the organization name. This is especially true
when certificates are issued to enrollees who demonstrate control of a
domain at most.

___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Gervase Markham]

On a related point, can we perhaps use this new high/low assurance bit 
in the cert store as something to hang cert revocation off? If you want 
to be in the high assurance store, you have to have a working OCSP 
server defined in your certs, or something like that?

Gerv
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Ian G]

Gervase Markham wrote:
On a related point, can we perhaps use this new high/low assurance bit 
in the cert store as something to hang cert revocation off? If you want 
to be in the high assurance store, you have to have a working OCSP 
server defined in your certs, or something like that?

That would be to impact the definition of high assurance
with the policy aspects of getting OCSP going.  Until OCSP
is up and going and shown to be a really good idea, it is
not a good idea to link it to another area of uncertainty.
The unintended consequences of that might actually make
either of high assurance or OCSP more difficult to get
going.
If one wanted to signal that OCSP was correlated to high
assurance, maybe the notion is to put another little icon
on the status bar that said OCSP in action.  Then, as
time goes on, we could see if that became a good signal of
quality or not?
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Frank Hecker]

Gervase Markham wrote:
On a related point, can we perhaps use this new high/low assurance bit
Uh, what new high/low assurance bit? Has someone already committed to 
implement this, and we've agreed to take the patch? :-)

in the cert store as something to hang cert revocation off? If you want 
to be in the high assurance store, you have to have a working OCSP 
server defined in your certs, or something like that?
Two points:
1. A number of high assurance CAs do not have OCSP set up. In doing my 
CA list at

  http://www.hecker.org/mozilla/ca-certificate-list
(which covers only new CAs applying for inclusion) I tried to track down 
information on CA's OCSP services; as you'll note, it's not that common. 
However providing CRLs is almost universal, but...

2. Neither Firebird nor Thunderbird have CRL checking (let alone OCSP 
validation) turned on by default; it must be manually enabled by users 
(e.g., by clicking on a link to a CRL -- try one of the ones on the page 
referenced above). This is a big product gap that needs to be filled, 
e.g., by recruiting some more NSS/PSM developers.

Frank
--
Frank Hecker
[EMAIL PROTECTED]
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Ram A M]

Great job Frank.

Frank Hecker wrote:

 Briefly, the motivations behind this proposal are as follows:

I like the foundation.


 Without further ado, here's the proposal:

 * Retain the current Firefox UI when SSL/TLS is not used:

- no padlock or other SSL/TLS-related indicator in status bar
- location bar background is white
- site domain name is *not* displayed in the status bar

Agree. To repeat a comment I made in another thread, I think the
default address bar should not list pre-protocol-specifier items
(username/password@) nor post host-name data (/foo/bar/some.jsp), an
option should be to change back to the currently popular model of
showing the full gory bits.


 * Retain the current normal case SSL/TLS Firefox UI:

- display locked padlock in status bar
- location bar background is yellow
- site domain name from certificate is displayed in status bar

Again I say show the certificate subjectDN (organization, country..)
and the basic domain name not the full address bar, these are valuable.
I like the dispaly of authenticated domain-names in the status bar (ie
if they come from a cert at the site).

For the rest of the UI variations I need to give it a lot more thought
than I have time for at the moment. Mock-ups would probably make a big
difference in conveying the ideas (I'm not asking for them, but I'm not
likely to make them either).


 Some follow-on comments:

 * The UI for SSL/TLS with low-assurance certs should be similar but
not
 identical to that for high-assurance certs.

I don't have a strong sense of what the right feedback mechanism should
be. But some things to consider feedback for, some of which you address
(and most not in the terms presented in the list):

=MoFo policy high assurance
=MoFo policy low assurance
=MoFo policy no assurance
=Unknown issuer
=Entity name authenticated
=Domain name authenticated
=Certificate is revoked (perhaps revoked should never be accepted
without going through a deep options menu)
=Certificate is expired (note that CAs may not offer revocation
checking for expired certificates, either by purning CRLs or by
refusing OCSP service)
=Certificate domain-name matches DNS domain-name
=Number of visits to site (the problem here is this wil sometimes
unduly scare the user - consider how many dns names WFB uses for their
service)


 * This proposal in a sense breaks existing sites using
low-assurance
 certs, since users of those sites will no longer see the padlock. To
 ease in the transition, it may be appropriate to put up a warning
dialog
 or informational message the very first time the browser encounters a

 low-assurance cert, so that the user will be informed about what is
 going on and will (we hope) be less confused when they see the
checkmark
 instead of the padlock.

I like this model many users are completly new users and giving them
these kinds of tidbits goes a long way to educating them - few will
read a dummy's guide. There should be at least such a pop-up for every
note-worthy new event (first high assurance, first low assurance, first
domainname mismatch, first unknown CA, first revoked, first expired,
change of CA for known site (possible DNS attack).


 * In the case of a self-signed cert or cert from an unknown CA,
Firefox
 should *not* offer users the opportunity to accept the certificate or

 the certificate's issuing CA as trusted, at least not from the
 immediately visible UI.

This seems a necessarily compromise to avoid the 'click through
everything' behavior the user seems to have today.


 * In the case of a cert from a known CA but with an non-matching
domain
 name, the warning dialog should be displayed at least once per
browser
 session, without the possibility of turning it off permanently for
that
 site. If an informational message is displayed in this case, then
 perhaps its dropdown menu can contain an option to not display the
 informational message in the future for not matching domain names
 (similar to the option for self-signed certs or unknown CAs); in this

 case the UI indicators would remain the same, except for an X mark
 replacing the exclamation mark in circle accompanying the original
 informational message.

This may be a bit complicated but I don't have a better suggestion off
hand.


 (I don't think it makes sense to not display a status bar indicator
at
 all after dismissing the information message, and to treat this case
the
 same as a non-SSL site. There really is something wrong with the site
--
 it's either misconfigured or is using a stolen key and cert -- and
the
 UI should reflect that.)

Agree.


 * A high assurance certificate can be defined at a high level as a

 certificate issued only after some level of human review of the cert
 subscriber, whereas a low assurance certificate might be issued
 through an automated process,

I suggest the inclusion of technical robustness criteria as well.
Consider that regardless of the techniques use to vet an enrollment
every CA with 

Re: Strawman proposal for SSL UI changes

[Ram A M]

A quick point, the idea of including a statement of relying party
warranty has great potential. A cert extension in EE, chain, or root
certificates could include a numeric value. There is some work to be
done in terms of standardization (actually IIRC I saw a post indicating
this work is done, underway, or imminent). There are issues around
currency - it could be specified in Euros, US Dollars, Gold weight or
others, there are probably at least a few conventions that would
suffice (probably not a currency that is prone to heavy devaluation).

___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[J. Wren Hunt]

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
HJ wrote:
| 2) Some important sites are not using SSL for their login pages - Yahoo
|   apparently being one.
|
|
| I have a Yahoo e-mail account, and that uses SSL for logins.
| Are you talking about the free Yahoo webmail or paid Yahoo e-mail
accounts?
|
I recently had occasion to traipse through Yahoo!'s login process - it's
actually rather neat: if you choose the non-default Secure login then
you're connected via SSL as expected. If you take the default Standard
login route, it then checks to see if your browser supports Javascript
and has it enabled then it generates a password hash for login. If you
have Javascript disabled, etc., then it *falls back* to the Secure
login. Rather slick! I think their Standard login description is a bit
of a misnomer in this case.
- --
Cheers!
J. Wren Hunt
Cambridge, MA. USA
- 
In theory, there is no difference between theory and practice. But, in
practice, there is. - Jan L.A. van de Snepscheut
+--+
| v-card   http://wrenhunt.homelinux.org/data/wren.vcf |
| x.509http://wrenhunt.homelinux.org/data/thawte_wren_hunt.cer |
| OpenPGP  ADF5 1432 A59E 8F4D 4AE7  4DFE 03FA 91E1 4A24 D6F4  |
+--+
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1rc2 (Darwin)
iD8DBQFCODOAA/qR4Uok1vQRAwEIAJ0WoiaDwl40ByQhvhK49wuBLNfb5gCg3c3W
NcKXJO/IoRADrUCuakz0UO0=
=Yudv
-END PGP SIGNATURE-
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Frank Hecker]

Peter Gutmann wrote:
Location bar is something more noticeable than yellow.  Have you ever looked
at the pastelly-white vs. pale-yellow location bar on a laptop LCD screen in
bright room light or outdoors?  The two are virtually indistinguishable.  I've
seen older laptops with either poor-to-begin-with or faded-over-time LCDs
where you can't actually tell the difference between the two colours.
This is a valid point. I guess alternatives would include a different 
color and/or some sort of patterned background to further increase the 
contrast.

Frank
--
Frank Hecker
[EMAIL PROTECTED]
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Gervase Markham]

Frank Hecker wrote:
What's your and Dan's motivation for doing that? Because the domain name 
as displayed in the address bar may be misleading (e.g., by people doing 
tricks to spoof the name as displayed)?
There were several reasons behind the decision. There is discussion in 
https://bugzilla.mozilla.org/show_bug.cgi?id=262366 . Basically:

1) Most phishers are currently not using SSL, and people are left 
parsing complex URLs in the URL bar.

2) Some important sites are not using SSL for their login pages - Yahoo
  apparently being one.
2) We need a way to brand every browser window so that it can't be
   confused with an OS window. Just the status bar - a featureless grey
   blob - doesn't really do that. Having the domain makes it clear.
I'm still not really convinced it's a good idea, but the real reason I 
agreed to it, though, was that otherwise Dan was threatening to port his 
Firefox 1.0.1 patch which puts the URL in the _title_ bar on popups (as 
IE now does) over to the trunk. :-) And I figured that if we were 
determined to display the domain somewhere on insecure popups, at least 
we should:

- be consistent
- keep security UI to the status bar, without letting it creep
  everywhere
- avoid the problems IE has with their title bar implementation.
Gerv
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[HJ]

Gervase Markham wrote:
Frank Hecker wrote:
What's your and Dan's motivation for doing that? Because the domain 
name as displayed in the address bar may be misleading (e.g., by 
people doing tricks to spoof the name as displayed)?

There were several reasons behind the decision. There is discussion in 
https://bugzilla.mozilla.org/show_bug.cgi?id=262366 . Basically:

1) Most phishers are currently not using SSL, and people are left 
parsing complex URLs in the URL bar.

2) Some important sites are not using SSL for their login pages - Yahoo
  apparently being one.
I have a Yahoo e-mail account, and that uses SSL for logins.
Are you talking about the free Yahoo webmail or paid Yahoo e-mail accounts?
2) We need a way to brand every browser window so that it can't be
   confused with an OS window. Just the status bar - a featureless grey
   blob - doesn't really do that. Having the domain makes it clear.
There is, or should be, (for now) that Mozilla Firefox icon (at least on 
Windows) at the upper left corner of the window (I don't have a clue 
what the official for it is).

I'm still not really convinced it's a good idea, but the real reason I 
agreed to it, though, was that otherwise Dan was threatening to port his 
Firefox 1.0.1 patch which puts the URL in the _title_ bar on popups (as 
IE now does) over to the trunk. :-) And I figured that if we were 
determined to display the domain somewhere on insecure popups, at least 
we should:

- be consistent
- keep security UI to the status bar, without letting it creep
  everywhere
- avoid the problems IE has with their title bar implementation.
Gerv
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Gervase Markham]

HJ wrote:
I have a Yahoo e-mail account, and that uses SSL for logins.
Are you talking about the free Yahoo webmail or paid Yahoo e-mail accounts?
This was Dan's example; and I think he meant the login page was 
unencrypted but submitted to an encrypted target. Amazon does this also, 
I've noticed.

2) We need a way to brand every browser window so that it can't be
   confused with an OS window. Just the status bar - a featureless grey
   blob - doesn't really do that. Having the domain makes it clear.
There is, or should be, (for now) that Mozilla Firefox icon (at least on 
Windows) at the upper left corner of the window (I don't have a clue 
what the official for it is).
Hmm, well, maybe. It's not really enough, though.
Gerv
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Frank Hecker]

Gervase Markham wrote:
Frank Hecker wrote:
snip
5. Discourage typical users from modifying the default list of 
trusted CAs and certificates, in particular by adding new site or CA 
certs as warning dialogs pop up.
I'm not sure I understand this sentence.
I meant the following: Right now when you connect to a site that 
presents a self-signed SSL cert, or an SSL cert issued by a CA not 
currently in the Firefox/NSS default list (or in the list, but with SSL 
trust bit set to no), the user is presented with a warning dialog 
that (among other things) offers them the option to trust the site 
cert and/or the CA cert on a permanent basis. This in turn causes at 
least some end users to modify the default cert list simply in order to 
get past the warning dialog and get on with viewing the page.

(The user could also cancel the connection or accept the cert only for 
the current session, of course, but I suspect a significant percentage 
of people actually accept the site or CA cert permanently.)

I believe that we should discourage such behavior, by removing the 
warning dialog entirely. Instead Firefox should simply display the web 
page in question without popping up a dialog, with some UI indicator to 
indicate that the page was not retrieved via a normal SSL connection. 
(For example, I suggested displaying a question mark instead of a 
padlock, and not changing the address bar background at all.) If the 
user then wants to actually trust the site or CA cert they could do so 
in some other way, e.g., through a menu item on an informational message 
dropdown, or through FF preferences, or whatever. But making such a 
decision would be optional, not forced through use of a modal dialog.

Note that this issue is entirely separate from the issue of using 
different UI for low asurance vs. high assurance certs, and IMO 
should be considered no matter what people decide om the latter issue.

Frank
--
Frank Hecker
[EMAIL PROTECTED]
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Frank Hecker]

Gervase Markham wrote:
Er... a slight snag here is that dveditz and I just agreed that we would 
start displaying domain names on non-secure sites.
What's your and Dan's motivation for doing that? Because the domain name 
as displayed in the address bar may be misleading (e.g., by people doing 
tricks to spoof the name as displayed)?

Frank
--
Frank Hecker
[EMAIL PROTECTED]
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Frank Hecker]

Ian G wrote:
Now for MAJOR point #2.  What is the definition of assurance ?
And what is meant by high assurance ?
I'll apologize in advance for not addressing all your points, both in 
this message and your others. I have a tight time window for doing this 
sort of thing, and I wanted to concentrate on a couple of key points below.

Frank Hecker wrote:
sbip
The reason for making the high/low distinction depending on the 
presence or absence of human review is that this is directly related 
to the cost (in time and/or money) of doing phishing attacks that 
direct people to SSL-protected sites.
snip
OK, this is getting closer to a rationale of economic
security.  For the phisher, there is only one question,
which is how much does it cost me and how much do I earn?
Agreed, which is why I think realistically any notion of assurance has 
to ultimately justify itself based on economic analysis. To expand on 
your comments on the threat du jour represented by phishing, pharming, 
etc., one presumed thing we want to prevent (as I noted) is phishers 
getting throwaway certs for throwaway domains, and thereby being able to 
more convincingly impersonate real ecommerce and financial sites.

(Note that I don't certainly don't think this is the only possible 
anti-phishing defense, or even necessarily the best one, but it 
certainly seems to be what people are concerned about in the whole 
series of discussions we've been having re raising the bar relative to 
CAs. Hence my interest in putting out a strawman proposal on how to do 
this, to make the discussion less abstract and more concrete.)

Here's my attempt at a quick back of the envelope analysis of the 
economics of phishing as they relate to SSL certs (not a real analysis, 
but a mere sketch): How much do I earn could be quantified as expected 
revenue per day resulting from standing up a given phishing site at a 
given domain, times expected lifetime of that site at that domain (e.g., 
before the domain or server is taken down by others or blocked by 
phishing blacklists or whatever). (Expected revenue per day is 
dependent on other factors, such as the type of site being impersonated, 
number of phishing spam emails sent out, etc., but we'll leave all that 
aside for now.)

How much does it cost me could be quantified by some formula involving 
the direct monetary cost of the SSL cert, related monetary costs of 
applying for the cert (e.g., cost of obtaining fraudulent id documents), 
the time required to get the cert (which equates to potential revenue 
lost from that domain that could otherwise be earned in the meantime), 
the probability of the cert application being rejected (more lost time, 
assuming rejection is not instant), and the probability of the phishing 
fraud being traced back to the actual phisher (which combined with the 
probability of being caught by law enforcement and convicted of 
something, plus the expected fines and/or jail time, equates to loss of 
future gains from phishing, which can then be used to calculate a net 
present value figure to go into the overall cost estimate). There may be 
other elements I haven't thought of, but these will serve as examples.

Given such a calculation, we could (at least in theory) define a high 
assurance cert for our purposes as a cert whose cost to the phisher 
exceeds the expected revenue (i.e., fraudulent gain) for the domain 
with which the cert is associated. Whether we could make such a cost 
calculation in practice is of course uncertain, but I don't think it's 
totally out of the question given sufficient motivation to collect the 
data and do the calculations.

The other thing I'll note here is that under this approach CAs could 
have wildly different attributes but still have the same resulting 
expected costs from the phisher's point of view. For example, one CA 
might sell cheaper certs (or even provide free certs) than another CA, 
but might require a week to issue a cert where the more expensive certs 
might require only a day. Or, in your example of the automated but 
arguably high assurance CA using smart cards, etc., the short time 
required to get a cert might be balanced by an increased likelihood of 
fraudulent applicants being detected and an increased risk of 
significant consequences arising from violations of national id laws.

The problem then is for the defender to say how much is
this cert worth?  The relying party and the cert owner
both have the same question.  Now, the question is *not*
totally answered by how much does it cost?  As I described
above, the cost of production of the cert is only a very
weak indicator of how much it is worth.
If by cost of production you mean marginal cost to the CA of issuing 
the cert (including variable costs, e.g., labor, plus amortized fixed 
costs) and by how much is it worth you mean something like my cost to 
the phisher relative to expected revenue then I'm with you, dude :-)

The best way to answer this is to ask how much the 

Re: Strawman proposal for SSL UI changes

[Frank Hecker]

Frank Hecker wrote re insurance related to certs:
However I think in practice this approach might be problematic, for a 
variety of reasons. First, CAs have much fewer economic incentives to 
care about relying parties (who aren't actually their customers) than 
they do about subscribers (who are the ones paying them). Second, even 
assuming that the cost of getting sued by relying parties is such an 
economic incentive, it's quite possible that lawyers for CAs would be 
easily able to blunt the impact of such suits, e.g., by pointing to 
contributory negligence on the part of the relying party and/or escape 
hatches for the CA. (You didn't view the certificate details and look 
at the certificate policy governing the certificate? You didn't read 
the relying party agreement, particularly the limitation of liability 
section? And so on.)
One very quick comment: The point I was trying to make here is that I 
think it's unlikely that relying parties who got phished would actually 
be able to recover damages from CAs, which causes problems for a 
market-based approach involving insurance. Similar reasons to those 
holding back Bruce Schneier's idea of improving the security of software 
via holding software vendors liable (with insurers then prodding vendors 
to clean up their act) -- the s/w vendors today have little or no 
(legal) reason to care, and no one in a position to do so (e.g., 
government) is forcing them to care.

Till later,
Frank
--
Frank Hecker
[EMAIL PROTECTED]
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Duane]

Frank Hecker wrote:
* The only way to add new CAs or server certs or to change the default 
trust bits should be through the Firefox preferences UI or (perhaps) 
through a detailed certificate dialog reached by selecting an item from 
the dropdown menu associated with an informational message (if used). 
(This latter option would be similar to the Edit Popup Blocker Options 
menu item displayed for the blocked popups informational message.)
There was a bug on bugzilla for this and it has since been marked won't 
fix...

https://bugzilla.mozilla.org/show_bug.cgi?id=276827
You should also have a look at:
https://bugzilla.mozilla.org/show_bug.cgi?id=267515
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Jean-Marc Desperrier]

Frank Hecker wrote:
That pretty much completes my night-time excursion into the wonderful 
world of Firefox security UI discussions. Feel free to flame away.
A few days ago, I reached pretty similar ideas as a conclusion of the 
recent debatting, reinforced by remembering how valid the old SSL 
usability rant of Matthew Thomas was 
(http://mpt.phrasewise.com/2003/11/11), but had no time to describe it 
in a coherent and convincing way like you just did.

Just a few things :
- There's too many cases. Only experts are actually interested in why 
the site is not secure, just tell the general public that it's not, and 
you have to open the details windows to learn why.
So below I will discuss several ways of restricting the options to a 
minimum.

- I see two parts in this plan. One is introducting the 
high-assurance/low-assurance distinction, the older is removing all 
warning dialogs nobody reads least understand, and reflecting the 
insurance in the GUI.

There's quite a lot that can be debatted about the 
high-assurance/low-assurance distinction.
It might be good to implement first the second, and allow more time to 
think about what we want for the first.

- high-assurance is something new, I'd see a new icon.
I think the solution is an icon representing a vault, and not a lock for 
high-assurance. I think it's a symbol everyone understand the meaning 
of without explanation, and it means you don't need to tell some CA you 
removed them the 'lock' list, just that they don't meet the criterium 
for the new 'vault' list. We just need a good vault icon that doesn't 
look like something else for anybody.
That way, we can keep the  lock for the normal SSL case, and not change 
it's meaning with today.

- If we take apart the high-assurance/low-assurance distinction, I'd 
go even further than you.
I think the binary option is tempting.
It's secure, fully, or it's nothing, and the GUI doesn't show anything.

In any case, we need to limit the case as much as possible, so 
alternatively what I'd see is : nothing/a discreet check mark/lock.

The discreet check mark would be something usually people would not 
notice, it should fail look for the lock 
(http://www.gerv.net/security/stay-safe/), but it would keep people 
happy who would find it unfair that any error in the checking means 
there is nothing  in the GUI showing the communication is any different 
from ordinary http. Cliking the check mark would show the detail windows.

This said, I'd see a closed eye icon, rather than a check mark for this.
- About the non-matching cert name, many people misconfigure servers, 
it's not definitively showing an attack attempt. That's why, and also in 
order to limit the number of possible case, I'd just remove the warning 
(warning are bad, the blocked popups warning is less bad but is still 
bad), and display the normal GUI as if there's no encryption in that case.
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Strawman proposal for SSL UI changes

[Ian G]

OK, sounds like fun :)  Following are some MINOR comments
that hopefully would improve the proposal ... I'll post
my two MAJOR comments under separate cover.
iang

Frank Hecker wrote:
Prompted by some comments by Gerv Markham, the following is an strawman 
proposal for changing the Firefox UI relating to web pages retrieved via 
SSL/TLS. It was created upon waking in the middle of the night, so 
please feel free to treat it with extreme skepticism :-)

(This is relevant to both n.p.m.security and n.p.m.crypto, so I'm 
cross-posting to both forums, but I'm setting followups to 
n.p.m.security to direct discussions to the wider audience associated 
with that forum.)

Briefly, the motivations behind this proposal are as follows:
1. Make the SSL/TLS UI as simple as possible, but not simpler.

I'm not as yet sure what you mean by the SSL/TLS UI ...
hopefully that will become clear.
(padlock?  edit/prefs/privacy?)
2. Acknowledge the typical user's expectation that the display of a 
padlock is something associated primarily with e-commerce or financial 
sites, and basically means it's safe for you to enter sensitive 
financial or other personal information on this page.

3. At the same time, allow for other legitimate uses of SSL/TLS beyond 
the traditional e-commerce/financial uses, and in particular promote 
wider use of SSL/TLS as a useful component of a comprehensive 
anti-phishing strategy.
OK.  (I've written on the goal of security elsewhere.)  It
would be desirable for Mozilla to adopt a goal of security.
At the moment, it is written about but not adopted.  If it
were adopted, we could then identify anti-phishing as a
clear and present danger to users and then pursue that
as a danger to be addressed.
Having a goal of security forces you to meet the goal.  This
helps because it separates out the distractions from the
important tasks.  In the above, promote wider use of SSL/TLS
is a distraction.  Only if it helps security should it be used,
as a tool.  Wider use might actually make things more insecure,
if employed like a hammer on all nails in sight.
Also (annoyingly) we need to differentiate between SSL, TLS,
HTTPS, S/MIME, certs, PKI... in any proposal.  I generally
use SSL to refer to the lot and TLS to refer to the raw
protocol, sans certs.  HTTPS as TLS+certs+browsing.
But others do not do that...

4. Eliminate or at least minimize SSL/TLS-related error messages and 
warning dialogs, particularly in cases where they are arguably not 
warranted based on the security risk relative to not using SSL/TLS at all.
OK.

5. Discourage typical users from modifying the default list of trusted 
CAs and certificates, in particular by adding new site or CA certs as 
warning dialogs pop up.

Discourage typical users ... Um.  That I'm unsure of.  The
user is king, or queen in cryptoterms.  It may be that the
browser cannot distinguish between user is told by boss
and user is told by phisher but that isn't really enough
to go on in.

Without further ado, here's the proposal:
* Retain the current Firefox UI when SSL/TLS is not used:

  - no padlock or other SSL/TLS-related indicator in status bar
  - location bar background is white
  - site domain name is *not* displayed in the status bar

This I agree with.  I note there is some preference to display
a site domain name even without SSL, as being this is where
you ended up.  If so, it should be a different colour or the
like.  But, I'd prefer it not to be there at all, for strategic
reasons.

* Retain the current normal case SSL/TLS Firefox UI:
  - display locked padlock in status bar
  - location bar background is yellow
  - site domain name from certificate is displayed in status bar
*but* reserve it for the cases where the site's certificate is a 
high-assurance certificate from a known CA. (Assume, at least for now, 
that we have a reasonable way to decide whether a given site certificate 
is high-assurance or low-assurance; see also below.)

OK.  Hopefully we also find out what assurance means :-)

We then add the following new SSL/TLS UI cases, for which we do *not* 
use the traditional padlock indicator in any form:

* SSL/TLS connection involving a low-assurance certificate from a 
known CA:

  - display check mark in status bar (instead of padlock)
  - location bar background may or may not be yellow (this is debatable)
  - site domain name from cert is displayed in the status bar

OK, so if we accept the assumptions (!) then I think you have
this about correct.  The status bar is (for me) Mozilla's
security display, so it should show the domain that the cert
says you got to.  This is valid regardless of the assurance
level, which displays something else.  The yellow location
bar is just another padlock for me, one that is easier to see.

* SSL/TLS connection involving a self-signed certificate or a 
certificate from an unknown CA:

  option 1:
  - display question mark in status bar (instead of padlock)
  - location bar background is white
  - site domain