- From: Phillip Hallam-Baker <phill@hallambaker.com>
- Date: Mon, 17 Nov 2014 08:13:52 -0500
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Cc: Roland Zink <roland@zinks.de>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On Mon, Nov 17, 2014 at 7:56 AM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: > -------- > In message <5469EE2F.2020108@zinks.de>, Roland Zink writes: > > Actually I think the most important part is this: > >>>> Encryption >>>> should be authenticated where possible, but even protocols providing >>>> confidentiality without authentication are useful in the face of >>>> pervasive surveillance as described in RFC 7258. > > Will browsers finally stop treating self-signed-certs as if they > were highly radioaktive ? The situation highlights many problems with the way people think about security. I have been arguing that browsers should simply accept self signed certs without comment (or a padlock icon) for years now. Its like the old AOL/2.0 version of S/MIME 'WARNING THIS EMAIL IS DIGITALLY SIGNED'. Security usability is a lot easier than people imagine, it mostly involves not doing things that are ridiculous. The security signal in TLS is there to tell the user that the connection is authenticated. If the connection is only weakly authenticated or not authenticated then there should be no signal unless there was some reason (e.g. pinning) to expect better authentication. Another area where people go wrong is making security by analogy arguments in place of a security analysis. The consequences of this can be seen on all those Web forms where someone has dumped a CAPTCHA onto the UI for no other reason than to make themselves look clever. Rather than arguing that 'X is as good as Y which gets the security signal', folk need to ask if Y should have got the security signal in the first place.
Received on Monday, 17 November 2014 13:14:23 UTC