Re: User effort

2005-06-20 Thread Ian G
On Sunday 19 June 2005 19:36, Heikki Toivonen wrote: Duane wrote: In the end they decided to try it and now they enter the website address of their bank each time (they don't use bookmarks or click on links in emails) to make sure they connect to the right site each time. So So for them

Re: new citibank site uses wrong URL, certificate ?

2005-06-19 Thread Ian G
On Sunday 19 June 2005 16:51, Amir Herzberg wrote: Hi, I noted that Citibank changed their login form at http://CitiBank.com. It now points you at the site: I followed the above to this: http://CitiBank.com/us/index.htm then clicked on * sign on to get to this: https://web.da-us.citibank.com/

Re: new citibank site uses wrong URL, certificate ?

2005-06-19 Thread Ian G
On Sunday 19 June 2005 16:17, Ian G wrote: On Sunday 19 June 2005 16:51, Amir Herzberg wrote: Hi, I noted that Citibank changed their login form at http://CitiBank.com. It now points you at the site: I followed the above to this: http://CitiBank.com/us/index.htm then clicked on * sign

Re: User effort

2005-06-18 Thread Ian G
On Saturday 18 June 2005 22:22, Heikki Toivonen wrote: Ka-Ping Yee wrote: The important question is not whether there is effort involved but whether the amount of effort is reasonable and worth it. The thing is, even minimal effort when the perceived threat/payback is nil is too much. If

Re: Can'somebody tell me why SSL2 is still by default

2005-06-14 Thread Ian G
On this thread [EMAIL PROTECTED] said to me: One quick comment (I will likely respond in more detail later) - SSL V2 should now be off across our entire complex. If you know of any cases where we have specific servers that are still accepting V2 connections, please can you let me

Re: Is there a Mozilla security process?

2005-06-14 Thread Ian G
On Tuesday 14 June 2005 03:10, Tyler Close wrote: Hi Heikki, On 6/13/05, Heikki Toivonen [EMAIL PROTECTED] wrote: and are willing to pay for the chrome real estate it takes. I don't understand this complaint. The petname tool is *tiny*. It's just a text field. I've been thinking about

Re: Is there a Mozilla security process?

2005-06-09 Thread Ian G
On Wednesday 08 June 2005 23:22, Heikki Toivonen wrote: Ian G wrote: I've previously looked at the pages on /security/ for guidance and not found a way forward. I think we need more help from Mozilla in how to deal with this. This page speaks about the security bug group. Now in my

Re: Is there a Mozilla security process?

2005-06-09 Thread Ian G
On Thursday 09 June 2005 00:16, Gervase Markham wrote: Ian G wrote: OK, so I hope you don't mind but I have to suggest that this approach is a mistake, IMO. What is required here is experimentation. Move forward and if it fails then rip it out and say sorry. So what? It's hardly

Re: Is there a Mozilla security process?

2005-06-08 Thread Ian G
Hello David, On Wednesday 08 June 2005 14:44, L. David Baron wrote: On Wednesday 2005-06-08 14:30 +0100, Ian G wrote: So here's the question: Who's dealing with phishing in Mozilla? Discussion below, ending in the question. On Tuesday 07 June 2005 03:11, Tyler Close wrote: I've

Re: Is there a Mozilla security process?

2005-06-08 Thread Ian G
On Wednesday 08 June 2005 16:38, Mike Shaver wrote: Ian G wrote: Petname hasn't to my knowledge any testing done in a proper sense on naive users. Trustbar has, and it shares the same roots in security theory. The results were positive, although the tests were done in small numbers

Re: Is there a Mozilla security process?

2005-06-08 Thread Ian G
On Wednesday 08 June 2005 07:21, Heikki Toivonen wrote: http://petname.mozdev.org/ I briefly checked it out. It is certainly interesting. It looks like a variation of the theme where users and the browser share a common secret (in this case user written text, in some other proposal user

Re: Can'somebody tell me why SSL2 is still by default

2005-06-01 Thread Ian G
On Wednesday 01 June 2005 19:01, Gervase Markham wrote: Duane wrote: This is especially important for web related uses as you could also send the hostname you wanted to connect to before doing the handshaking, which means if a server has 50 certificates to choose from, and you send a

Re: Firefox users are worried about phishing: 60,000 downloads in hours

2005-05-28 Thread Ian G
On Saturday 28 May 2005 02:14, Tyler Close wrote: On 5/27/05, Ian G [EMAIL PROTECTED] wrote: And, both petname and trustbar were roundly rejected by the Mozilla security community. Strike two. My understanding was that no one on this list has the authority to introduce a new tool

Re: Firefox users are worried about phishing: 60,000 downloads in hours

2005-05-28 Thread Ian G
On Saturday 28 May 2005 11:46, Duane wrote: Ian G wrote: The free toolbar, released Tuesday, was downloaded more than 60,000 times within hours of its release, according to Netcraft Internet Services Developer Paul Mutton. Actually I meant to comment on this specifically before

Re: Firefox users are worried about phishing: 60,000 downloads in hours

2005-05-27 Thread Ian G
On Friday 27 May 2005 06:04, Nelson B wrote: Duane wrote: Ian G wrote: Firefox users snap up Netcraft's antiphishing toolbar Netcraft's toolbar blocks access to reported phishing sites I grabbed it, tried it and promptly uninstalled it based on how much information was leaking like

Re: One cannot rely on a revocation?

2005-05-26 Thread Ian G
Thanks to you all for taking the time for discussing this. Earlier, Nelson said: ... I imagine you see it as another for your growing list of potentially fatal PKI flaws. Yes, it is important to get the case down in writing, as future designers and architects need to learn the lessons of the

Firefox users are worried about phishing: 60,000 downloads in hours

2005-05-26 Thread Ian G
http://www.infoworld.com/article/05/05/26/HNfirefoxnetcraft_1.html Firefox users snap up Netcraft's antiphishing toolbar Netcraft's toolbar blocks access to reported phishing sites By Scarlet Pruitt, IDG News Service May 26, 2005 Users of the Firefox Web browser have been flocking to

Re: Firefox users are worried about phishing: 60,000 downloads in hours

2005-05-26 Thread Ian G
On Friday 27 May 2005 01:21, Duane wrote: Ian G wrote: Firefox users snap up Netcraft's antiphishing toolbar Netcraft's toolbar blocks access to reported phishing sites I grabbed it, tried it and promptly uninstalled it based on how much information was leaking like a submarine

Re: Improving Authentication on the Internet

2005-05-25 Thread Ian G
On Wednesday 25 May 2005 19:14, Anne Lynn Wheeler wrote: Nelson B [EMAIL PROTECTED] writes: Ah, I was wondering when paradoxes would enter this discussion. CA self revocation: Everything I say is a lie. I think not said Descartes, who promptly vanished. the original scenario was that

One cannot rely on a revocation?

2005-05-25 Thread Ian G
On Wednesday 25 May 2005 20:27, Julien Pierre wrote: By signing a CRL that does not include a particular cert's serial number, or by signing an OCSP response that says this cert's serial number is still valid, a CA makes the statement that the cert in question is not revoked. Surely not!

Re: Revoking the Root

2005-05-24 Thread Ian G
On Tuesday 24 May 2005 14:05, Jean-Marc Desperrier wrote: Julien Pierre wrote: I'm saying the standard defines no way to revoke a lost CA root, because it doesn't make sense. When a root is compromised, there is no PKI standard that can fix this. To be precise, the standard says that path

Revoking the Root

2005-05-21 Thread Ian G
On Saturday 21 May 2005 00:41, Julien Pierre wrote: Ian, Ian G wrote: But OCSP/CRL can not help in case of *root* cert compromission. There's nothing above it to sign the validity information. Can't it revoke itself? This is priceless and one for the books. This statement shows that you

Re: Revoking the Root

2005-05-21 Thread Ian G
On Saturday 21 May 2005 17:46, Ram A Moskovitz wrote: If a root key is compromised and a certificate status server responds as such the only way to undo the revocation is for the bad guy with the private-key to prevent access to the responder, or spin up a new one which answers differently

Re: Improving Authentication on the Internet

2005-05-20 Thread Ian G
On Friday 20 May 2005 23:47, Jean-Marc Desperrier wrote: Gervase Markham wrote: Er, given that we have no OCSP and no-one's checking CRLs, I think losing a root cert which is embedded in 99% of browsers out there would be an _extremely_ big deal. But OCSP/CRL can not help in case of

Re: Invalid banking cert spokes only one user in 300

2005-05-18 Thread Ian G
On Wednesday 18 May 2005 07:24, Nelson B wrote: Ian G wrote: In practice, sites see HTTPS as a cost, and a barrier. It doesn't provide any protection that they *need* although this might be less true in the future and for big sites. So, you're saying they don't need encryption

Re: Invalid banking cert spokes only one user in 300

2005-05-18 Thread Ian G
List out your threats. Then validate them - measure them. Make sure they are actually present and causing damage before spending a dime on protecting against them. How about I do just that... This is just a couple of things from the past week or so... Report just out on sys admin

Re: Invalid banking cert spokes only one user in 300

2005-05-16 Thread Ian G
On Monday 16 May 2005 08:03, Michael Vincent van Rantwijk wrote: Duane wrote: http://computerworld.co.nz/news.nsf/UNID/FCC8B6B48B24CDF2CC2570020018FF73 ?OpenDocumentpub=Computerworld Up to 300 BankDirect customers were presented with a security alert when they visited the bank's website

Re: Extensions as a security risk [Re: More Phishing scams, still no SSL being used...]

2005-05-15 Thread Ian G
On Sunday 15 May 2005 04:14, Anthony G. Atkielski wrote: Ian G writes: By way of comparison, in the same time frame, my company chose Java for desktop clients for security reasons, and even though our result is much more secure and robust, we can't get people to install Java without

Re: Extensions as a security risk [Re: More Phishing scams, still no SSL being used...]

2005-05-14 Thread Ian G
On Saturday 14 May 2005 13:03, Anthony G. Atkielski wrote: Jaqui Greenlees writes: any extention to a browser should by default be marked as insecure. or the developers of the browser could be held liable for damages for not marking it as such. ( flash included ) I agree. And they

Re: Extensions as a security risk [Re: More Phishing scams, still no SSL being used...]

2005-05-12 Thread Ian G
On Thursday 12 May 2005 05:17, Anthony G. Atkielski wrote: Jean-Marc Desperrier writes: Altenate solution : An established list of tier 1 essential extensions that you can trust fully for that level of attention. If they are essential, they should not be extensions. Perhaps routine

Re: Improving Authentication on the Internet

2005-05-12 Thread Ian G
On Thursday 12 May 2005 06:19, Duane wrote: Actually the funniest thing was said the other day, Mark Shuttleworth came out and said the root certificate for Thawte was kept in his underpants draw for the first 2 years of operation. Needless to say the audience was in stitchs over that one...

Re: Improving Authentication on the Internet

2005-05-12 Thread Ian G
On Thursday 12 May 2005 13:28, Duane wrote: Ian G wrote: The most important thing that the browser UI can do is to promote more SSL. If twice as many people use SSL but it has a slight vulerability, that's much better than perfect system that is only used by half as many. I agree

Re: Improving Authentication on the Internet

2005-05-11 Thread Ian G
On Tuesday 10 May 2005 18:09, Jean-Marc Desperrier wrote: Gervase Markham wrote: As an example (and I don't know of anyone who is actually suggesting this), what if we made all CAs who issued non-zero accountability certs post a $1,000,000 bond against losses from phishing attacks performed

Re: Improving Authentication on the Internet

2005-05-11 Thread Ian G
On Wednesday 11 May 2005 02:05, Ram A Moskovitz wrote: Gerv, are you or MF required to sign an NDA of anykind to attend? A good point! And one that shouldn't have needed to be asked, but given recent revelations about Mofo's private revenue arrangements (for good or for bad), I guess this is

Re: Certificate information in Firefox

2005-04-20 Thread Ian G
Frank Hecker wrote: Gervase Markham wrote: Have I missed something, or is the Security tab missing from the Page Info dialog in Firefox 1.0.x? Is there any way to see the contents of the cert securing the site you are on? I just tested this on Firefox 1.0.3 for both Windows XP and OS X against

Re: AOL uses anti-phishing blacklist from Cyota

2005-04-20 Thread Ian G
Frank Hecker wrote: I thought this was interesting: http://media.timewarner.com/media/newmedia/cb_press_view.cfm?release_num=55254369 The basic summary: AOL will try to block AOL members' attempts to connect to phishing sites, using a blacklist of suspected phishing sites provided by Cyota

Re: Mark of the web considered harmful

2005-04-19 Thread Ian G
Nigel McFarlane wrote: Microsoft does not support the web. Microsoft knows all this and wants to sell products. The way to sell products to the web sector is to have an alternative that's better than the web. Relevant here, the mark of the web is just one way that Microsoft can clearly

Re: Low security SSL sites

2005-04-18 Thread Ian G
Jaqui Greenlees wrote: Peter Gutmann wrote: You can see where the magic-numbers problem has lead with the magic number 128. Provided that you mention this magic number somewhere in your marketing literature, your product will be regarded as secure no matter how bad it is in practice. ~snip~

Re: Low security SSL sites

2005-04-18 Thread Ian G
Gervase Markham wrote: It's like Michelin stars. You probably have to cook better food these days to get 3 stars for your restaurant than you did in the 30s, but three stars still means the best available. Michelen stars would be a perfect example. The users would see the michelin man, and the

Re: Low security SSL sites

2005-04-18 Thread Ian G
Nelson B wrote: [here I have snipped an old message of mine that says that SSL2 servers are hindering the rollout of new optional TLS extensions. ] Ian, how is that stopping people from using encryption? Correct me if I am wrong, but it means that the virtual hosts capability in newer versions

Re: Low security SSL sites

2005-04-18 Thread Ian G
Ka-Ping Yee wrote: On Mon, 18 Apr 2005, Ian G wrote: Gervase Markham wrote: It's like Michelin stars. You probably have to cook better food these days to get 3 stars for your restaurant than you did in the 30s, but three stars still means the best available. Michelen stars would be a perfect

Re: Possible security policy for local disk access

2005-04-16 Thread Ian G
Nigel McFarlane wrote: [long post] Indeed. My sense of the problem is below. Please correct where I got it wrong. There are two worlds, the web and the disk. The assumption is that the web is untrusted and the disk is trusted **. Anything that is stored on the disk is thought to be secure,

Re: Problems with displaying Organisation field

2005-04-15 Thread Ian G
Gervase Markham wrote: Ian G wrote: That would be incomplete :) What you should say is that Gervase thinks GeoTrust certs are not suitable for commerce! If you want to be like that, then the correct text is: If you put your CC number into here and get ripped off, there's no possible way you

Re: Low security SSL sites

2005-04-15 Thread Ian G
Gervase Markham wrote: Ian G wrote: I'd say 40 bit is good enough for banking, and 128 bit is good enough for banks :-) As the TLS people have now added a 256 bit protocol suite, they no doubt think that only 256 should be used by banks... I think you may have missed my point, which

Re: Problems with displaying Organisation field

2005-04-15 Thread Ian G
Gervase Markham wrote: ...I'm saying that we need to assess certs according to how likely it is that we can trace the cert back to a real individual, not as to how the data required for such tracing was gathered. OK, the answer to that is reasonably likely if the person doesn't care, and

Re: Problems with displaying Organisation field

2005-04-15 Thread Ian G
Gervase Markham wrote: Ian G wrote: OK, I'll accept that. So your message for the good certs is what? If you put your CC number into here and get ripped off, it might be possible for you to find the guy who did it. Just about. As a consumer, I'd be happier with that than Hey, if you

Re: Problems with displaying Organisation field

2005-04-15 Thread Ian G
Gervase Markham wrote: Of course, we might be able to make it work by reducing the number of CAs to (say) 8... The market works all this out. There will be some settling. In each country there will be like 1-3 big national brands. Then there will be the globals, the Intels of certification,

Re: Low security SSL sites

2005-04-15 Thread Ian G
Nelson B wrote: Ian G wrote: (OTOH, something like SSLv2 v. SSLv3/TLSv1 is stopping people elsewhere using crypto. What are you talking about? This one: Nelson B wrote: Julien Pierre wrote: There is a TLS extension called server name indication. It is currently not implemented by NSS

Re: Low security SSL sites

2005-04-14 Thread Ian G
Peng wrote: That may instead annoy them sufficiently that they switch back to IE, if they need to visit the site a lot. Personally, I didn't used to think to contact a website if there was a problem. I just ignored it or went to another website or spoofed my user agent or something. Putting

Re: Low security SSL sites

2005-04-14 Thread Ian G
Duane wrote: Ian G wrote: Peng wrote: That may instead annoy them sufficiently that they switch back to IE, if they need to visit the site a lot. Personally, I didn't used to think to contact a website if there was a problem. I just ignored it or went to another website or spoofed my user agent

Re: Problems with displaying Organisation field

2005-04-14 Thread Ian G
Gervase Markham wrote: [EMAIL PROTECTED] wrote: So we created a new type of automated certificate that focuses on proof of domain control in real time combined with real time email and telephone validation and sophisticated fraud-detection algorithms. I'd be interestd in hearing more about the

Re: Problems with displaying Organisation field

2005-04-14 Thread Ian G
Gervase Markham wrote: Ian G wrote: Why are you requiring that of GeoTrust? What happens if they don't provide that service? Then the browser UI I write doesn't mark their certs as suitable for commerce :-) That would be incomplete :) What you should say is that Gervase thinks GeoTrust

Re: Two downbeat articles on browser security

2005-04-13 Thread Ian G
Jean-Marc Desperrier wrote: Ian G wrote: http://www.ebcvg.com/articles.php?id=673 Mozilla: The Honeymoon is over Well, this time it's the analysis by the expert who's selling antivirus/http filters. Unfortunately, many will fail to his incredibly specious assessments about the recent

Re: Low security SSL sites

2005-04-12 Thread Ian G
Duane wrote: Peter Gutmann wrote: You may as well name 'em since it's fairly well known, it's Verisign (yes, the Actually another one, so that makes 2 of them (at least)... Duane, Either you are working for some company and you have a conflict of interest that stops you doing security work. Or

Two downbeat articles on browser security

2005-04-12 Thread Ian G
http://www.techworld.com/security/news/index.cfm?NewsID=3468 SSL 'security' aiding online fraud http://www.ebcvg.com/articles.php?id=673 Mozilla: The Honeymoon is over -- News and views on what matters in finance+crypto: http://financialcryptography.com/

Re: Two downbeat articles on browser security

2005-04-12 Thread Ian G
Duane wrote: Ian G wrote: http://www.techworld.com/security/news/index.cfm?NewsID=3468 SSL 'security' aiding online fraud Considering the experts giving these claims are trying to sell more expensive certs, I'm going to take it with a grain of salt until more attacks hitting my inbox really do

Re: Problems with displaying Organisation field

2005-04-12 Thread Ian G
Ka-Ping Yee wrote: This is further evidence that we cannot rely on CAs to maintain clear uniqueness of certificates, and that we must enable users to establish trust relationships without having to depend on CAs. Certainly, relying on the CAs to maintain any uniqueness amongst the entire set is a

Re: Problems with displaying Organisation field

2005-04-12 Thread Ian G
Ian G wrote: I've just upgraded my Firefox to 1.0.2 and this time the FreeBSD version handles plugins, so I installed both of them. Unfortunately petname doesn't appear. OK, Ping just fixed me up there, it had to be dragged from the pallete. Now it's sitting there and I have petnamed two of my

Re: Problems with displaying Organisation field

2005-04-12 Thread Ian G
Frank Hecker wrote: Gervase Markham wrote: ...and there's a white paper which goes into more depth. http://geotrust.com/resources/white_papers/pdfs/SSLVulnerabilityWPcds.pdf Hey Ian, they read your blog :-) See the footnote to page 11 (page 13 in the PDF). Indeed, I just got to that part

Re: Low security SSL sites

2005-04-05 Thread Ian G
Ram A M wrote: If one wanted to achieve a useful distinction, then I suggest warning when an SSL v2 protocol site is struck, as at least then a real issue is being addressed. I have SSL2 disabled and AFAIK it has not limited my access to sites in a long time. Perhaps it is time to retire SSL2 in

Re: Low security SSL sites

2005-04-04 Thread Ian G
Jean-Marc Desperrier wrote: I'm surprised nobody has said until now that there's already such a warning dialog for 40 bit crypto (at least in the suite, maybe FF removed it). I don't believe 512 RSA keys trigger it, though. 512 bit keys are a lot stronger than 40 bit, they are more like about

Re: Low security SSL sites

2005-04-04 Thread Ian G
Gervase Markham wrote: Ian G wrote: Why not just put the number of crypto bits on the status bar, next to the site name, CA name and padlock? I'm surprised at you, Ian. I would have thought the reason was obvious :-) It could be blindingly obvious to others ... but it's not to me! In Opera

Re: Low security SSL sites

2005-04-04 Thread Ian G
Gervase Markham wrote: Ian G wrote: It could be blindingly obvious to others ... but it's not to me! Because 99.99% of users will have no idea what the numbers are, nor will they have any ability to make sensible decisions based on them. Well, they are generally in a much better position to make

Re: Thunderbird S/MIME guys - Digitally-Signed Mail in e-Commerce - FC05 survey

2005-03-29 Thread Ian G
Julien Pierre wrote: Hmm, ok, well I suppose that's true as an assumption, and looking at Account / Settings ... the cert that is now selected to sign for this email address is *not* for this email address. This may explain why it didn't in the end sign for this email ;-) File a bug on the UI -

Re: Thunderbird S/MIME guys - Digitally-Signed Mail in e-Commerce - FC05 survey

2005-03-29 Thread Ian G
Julien Pierre wrote: Thus, for individual users' self-signed certs to work, everybody would need to blindly trust everybody else's individual cert. I don't see how you expect that to actually be workable. I'd just consider it a step better than unprotected email. It's what you get for free,

Re: Thunderbird S/MIME guys - Digitally-Signed Mail in e-Commerce - FC05 survey

2005-03-26 Thread Ian G
J. Wren Hunt wrote: -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Ian G wrote: | So now I have to figure out how to find a cert for | this email address. Now given that it took like | 10 minutes of clicking around by an expert in the | CA's business to do with the one cert I've got, I'm

Re: Thunderbird S/MIME guys - Digitally-Signed Mail in e-Commerce - FC05 survey

2005-03-26 Thread Ian G
J. Wren Hunt wrote: -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Ian G wrote: | | Right, but considering that this is *email* | and CAs are simply some optional extra to do | with commercial users (and we saw what they | want) then when it comes to *email* there is | no need to bash anyone's

Thunderbird S/MIME guys - Digitally-Signed Mail in e-Commerce - FC05 survey

2005-03-25 Thread Ian G
Financial Cryptography Update: Digitally-Signed Mail in e-Commerce - FC05 survey March 25, 2005 http://www.financialcryptography.com/mt/archives/000414.html

Re: Thunderbird S/MIME guys - Digitally-Signed Mail in e-Commerce - FC05 survey

2005-03-25 Thread Ian G
J. Wren Hunt wrote: Ian G wrote: | |snip I recently installed a good cert into my Thunderbird and I | still cannot send out signed or encrypted email using S/MIME (I forget | why). | Are you being facetious here? Nope, I tried to get it going a couple of weeks ago, and the interface has too many

Re: Thunderbird S/MIME guys - Digitally-Signed Mail in e-Commerce - FC05 survey

2005-03-25 Thread Ian G
Hi Julien, Julien Pierre wrote: Ian, Ian G wrote: For encryption, just now I tried again, and I may have figured out the problem: it requires me to select a certificate, which wasn't obvious the first time I went through the various dialogues; it should just automatically select the one cert

Re: Thunderbird S/MIME guys - Digitally-Signed Mail in e-Commerce - FC05 survey

2005-03-25 Thread Ian G
Ian G wrote: Hmm, ok, well I suppose that's true as an assumption, and looking at Account / Settings ... the cert that is now selected to sign for this email address is *not* for this email address. This may explain why it didn't in the end sign for this email ;-) Well, I just tried it from

Re: Password field check characters?

2005-03-24 Thread Ian G
Gervase Markham wrote: Ian G wrote: Solving password loss is a big issue, support departments put this as one of their biggest problems. So addressing it at the browser is probably worthwhile. I'm not quite sure what you mean by solving password loss. Are you suggesting this feature will help

Re: about bug 286107 : Remember visited SSL details and warn when changes, like SSH

2005-03-21 Thread Ian G
Frank Hecker wrote: Ian G wrote: Nelson B wrote: Having bought his first cert from CA X, if he ever buys a cert from CA Y instead, all his users will be alarmed. This gives CA X opporunity to charge ever higher prices for cert renewals. In practice this would be the case, if the users decided

Re: Strawman proposal for SSL UI changes

2005-03-21 Thread Ian G
Gervase Markham wrote: Ram A M wrote: Showing the name of the company may. Showing firstbankofsomewhere.sometld is not as reliable as showing First Bank of Somewhere as the organization name. I note your example includes a geographical location; not many business names do. How many First Banks

[Fwd: Re: $90 for high assurance _versus_ $349 for low assurance]

2005-03-20 Thread Ian G
Original Message Subject: Re: $90 for high assurance _versus_ $349 for low assurance Date: 16 Mar 2005 23:17:59 - From: John Levine [EMAIL PROTECTED] Organization: I.E.C.C., Trumansburg NY USA To: cryptography@metzdowd.com CC: [EMAIL PROTECTED] John, thanks for this

Re: about bug 286107 : Remember visited SSL details and warn when changes, like SSH

2005-03-20 Thread Ian G
Nelson B wrote: Ram0502 wrote: Ian G wrote: This is something that Julien brought up and Amir addressed by setting the border at the CA. As the user identifies a particular CA as good, the security app module accepts any cert from that CA. Nice practical solution. Except that it creates

Re: Strawman proposal for SSL UI changes

2005-03-18 Thread Ian G
Benjamin D. Smedberg wrote: Gervase Markham wrote: The chances of this sort of change to the address bar are near-zero. But have you seen the new domain indicator in Firefox 1.0 and above? What new domain indicator? In Firefox 1.0, when the SSL connection is established without any problems,

Re: [Bug 286107] Remember visited SSL details and warn when changes, like SSH

2005-03-17 Thread Ian G
Again, I think Nelson brings up points better off transferred to the wider forum rather than within the narrow context of the bug. [EMAIL PROTECTED] wrote: https://bugzilla.mozilla.org/show_bug.cgi?id=286107 --- Additional Comments From [EMAIL PROTECTED] 2005-03-16 13:33 PST --- Above, I

Re: Strawman proposal for SSL UI changes

2005-03-17 Thread Ian G
Gervase Markham wrote: On a related point, can we perhaps use this new high/low assurance bit in the cert store as something to hang cert revocation off? If you want to be in the high assurance store, you have to have a working OCSP server defined in your certs, or something like that? That

Goals, Worldviews, Policies

2005-03-16 Thread Ian G
Nelson just posted a bug comment, but I think the response and discussion of the points he raised are too broad for that bug, so I'll move them here, if nobody minds. I have two points to make here - the reality of the CA trust decision, and the goal. [EMAIL PROTECTED] wrote:

Re: about bug 286107 : Remember visited SSL details and warn when changes, like SSH

2005-03-16 Thread Ian G
Ram A M wrote: I think there is value in the concept but it has a major failing from a usability perspective that falls out of data center operational practices. How many webservers do you think a big bank has? Some folks use SSL accelerators in front of their web-server or app-server farm, some

Re: Some Non-Critical Secunia Advisories

2005-03-15 Thread Ian G
Nate wrote: ...and it occurs to me yet once again, that one big reason for the proliferation of spam, spyware, viruses and on and on ad nauseum is that the bad guys hardly ever suffer any punishment. It's like burglars being allowed to try as many doors as they want to. Yup. And, no matter how

Re: Padlocks as Evidence of Security?

2005-03-14 Thread Ian G
Gervase Markham wrote: Er... which paper? The link was at the bottom, here it is again: http://www.ischool.washington.edu/networksecurity/Articles/Web_Security.pdf And if still keen, read this one: http://www.ischool.washington.edu/networksecurity/Articles/Risks_Harms_Web.pdf Also, while we are on

Re: $90 for high assurance _versus_ $349 for low assurance

2005-03-13 Thread Ian G
assurance _versus_ $349 for low assurance Date: Sun, 13 Mar 2005 19:15:13 -0500 From: R.A. Hettinga [EMAIL PROTECTED] To: Ian G [EMAIL PROTECTED], cryptography@metzdowd.com CC: John Gilmore [EMAIL PROTECTED], mozilla-security@mozilla.org References: [EMAIL PROTECTED] [EMAIL PROTECTED] At 9:24 PM + 3

Re: certificate handling feature idea

2005-03-12 Thread Ian G
J. Greenlees wrote: why not add the ability to permantently reject a certificate? such as a cert from an advertising comany? ( for some reason I get a cert error for a cert from www.ad-space.net ) Why would an advertising company use a cert? the cert itself is fine, the issuing authority is one

Re: Strawman proposal for SSL UI changes

2005-03-11 Thread Ian G
OK, sounds like fun :) Following are some MINOR comments that hopefully would improve the proposal ... I'll post my two MAJOR comments under separate cover. iang Frank Hecker wrote: Prompted by some comments by Gerv Markham, the following is an strawman proposal for changing the Firefox UI

Re: dodgy certs and big companies

2005-03-11 Thread Ian G
Duane wrote: Ian G wrote: Right, another obstacle. If all countries had hard ID like some of the Europeans had, *and* this was an international standard like the US wants with passports, then this might help. A lot of people in Australia and other countries never get passports... I've also

$90 for high assurance _versus_ $349 for low assurance

2005-03-11 Thread Ian G
In the below, John posted a handy dandy table of cert prices, and Nelson postulated that we need to separate high assurance from low assurance. Leaving aside the technical question of how the user gets to see that for now, note how godaddy charges $90 for their high assurance and Verisign charges

Re: possible general solution to homograph attacks

2005-03-10 Thread Ian G
Gervase Markham wrote: Michael Roitzsch wrote: If I understand things correctly, you want to have the browser maintain a sort of whitelist of domains the user trusts. Whenever the browser encounters a new SSL domain, the user is asked, if she wants to include it in the list of trusted domains.

Re: Detecting CC numbers

2005-03-10 Thread Ian G
Gervase Markham wrote: Idea off the top of my head - please tell me why it won't work. Could we parse all form submissions over unencrypted channels and put up an alert (You _really_ don't want to do this!) if any of the fields was a sixteen-digit number which passed the credit-card-number

Re: Long Term IDN/punycode spoofing strategy concept

2005-03-05 Thread Ian G
Gervase Markham wrote: Ian G wrote: Yup. Go through their logs, pull out all the URLs that are cached there, and run them through the hash. Er... if the URLs are available in plain text in their logs (I presume you mean history), then there's no need for them to reverse the hash. They can

Re: Long Term IDN/punycode spoofing strategy concept

2005-03-03 Thread Ian G
Gervase Markham wrote: HJ wrote: You can hash a particular domain and say has the user visited https://www.foo.com?; (which is the question the browser needs to know to do the new site indicator). But you can't say give me a list of all the domains they visited. In a perfect world maybe, but

Re: Naming sites so the user can choose trust relationships

2005-03-02 Thread Ian G
Ka-Ping Yee wrote: How does a user know that Paypal GmbH or Paypal Ltd is not the same as Paypal, Inc, without being able to compare the two? Company names are not global. It depends on the CA's policies. It would be nice to have a trustworthy CA tell me that i'm dealing with the company

Re: Long Term IDN/punycode spoofing strategy concept

2005-02-28 Thread Ian G
HJ wrote: Nelson B wrote: HJ wrote: Having troubles reading the text, try this one: http://multizilla.mozdev.org/screenshots/features/spoofing/new-ssl-site-bimsheet.jpg First of all, i've just updated my screenshot:

Re: New EU requirement to display monetary limits for SSL pages

2005-02-28 Thread Ian G
Jean-Marc Desperrier wrote: Ian G wrote: [...] OK, that's good to know that there is no number involved. That just leaves us with determining what information *is* in this cert, and how it is that it needs to be presented to the user, and what the legal and contractual ramifications of all

Opera adds cert information on the chrome to battle spoofing

2005-02-26 Thread Ian G
Opera Battles Spoofing in Latest Beta Release February 25, 2005 By Matt Hicks Responding to the rise of a spoofing flaw in Web browsers, Opera Software ASA has released a second beta release of its next browser with extra security features. The newest Opera beta, made available on Friday,

Re: New EU requirement to display monetary limits for SSL pages

2005-02-25 Thread Ian G
Jean-Marc Desperrier wrote: Ian, I have not much time now, but the hungarian cert in question is *not* using the monetary limit extension, only the extension to say it is a qualified certificate, which consists just of an OID and is therefore easy to parse. OK, that's good to know that there

Re: New EU requirement to display monetary limits for SSL pages

2005-02-24 Thread Ian G
Gervase Markham wrote: Ian G wrote: What happens if IangInsidiousIssues sells certs with the crit in it saying $100,000 but inside the crit text, there is a caveat saying that the limit only applies if spent in my shop buying my goods? There's crit text too? It's not just a monetary value

Re: Encouraging encryption

2005-02-24 Thread Ian G
J. Greenlees wrote: 3. Consider these three cases: (a) Unencrypted connection. (b) SSL connection with a self-signed certificate. (c) SSL connection with a certificate signed by a known CA. Of these three options, (a) is the riskiest context in which to submit an HTML form; (b) and

Re: Domain spoofing (and a personal greeting)

2005-02-23 Thread Ian G
hi Ping, I have a different perspective on the Shmoo thing, below. Ka-Ping Yee wrote: When i asked what happened, i meant that i'd like to know the story of how IDN support got added to Firefox in the first place. (Sorry i wasn't so clear.) Were security folks aware that it was being added? Did

  1   2   >