W3C home > Mailing lists > Public > public-usable-authentication@w3.org > April 2007

Re: DNSSEC indicator

From: Mike Beltzner <beltzner@mozilla.com>
Date: Thu, 26 Apr 2007 12:46:41 +0000
Message-ID: <960861600-1177591672-cardhu_blackberry.rim.net-1567906371-@bwe005-cell00.bisx.prod.on.blackberry>
To: "Dan Schutzer" <dan.schutzer@fstc.org>, public-usable-authentication-request@w3.org, sthomas2@ups.com, public-usable-authentication@w3.org
How is safe-mode substantially different from the "security zone" model employed (and unused) in current browsers?

Do you think there are times when users don't want to be safe?


-----Original Message-----
From: "Dan Schutzer" <dan.schutzer@fstc.org>
Date: Thu, 26 Apr 2007 08:31:41 
Subject: RE: DNSSEC indicator

That is why I would combine these indicators with a Safe Web Browsing Mode
and not rely on users paying attention and understanding all the indicators
- just that when they want to be really safe, they are willing to exclude
all but a selected set of sites that they really care about security and
privacy with and which are compliant with the needed security safeguards

-----Original Message-----
From: public-usable-authentication-request@w3.org
[mailto:public-usable-authentication-request@w3.org] On Behalf Of
Sent: Thursday, April 26, 2007 8:20 AM
To: public-usable-authentication@w3.org
Subject: RE: DNSSEC indicator

Dick is quite right. DNSSEC could indeed provide another tool in the
toolbox to make sure that the network is doing what the user really
wants. My issue, though, is elevating the DNSSEC status to a
human-visible indication. The more indicators that are displayed to a
user, the less likely the user is to pay attention to them. Research is
already showing that users are ignoring the indications that browsers
give them today. For that reason, browser designers need to be very
parsimonious in displaying security indications and focus on showing
information that is really important. Given the relative rarity of
attacks involving improper name resolutions, a DNSSEC indication would
not seem to have enough value to justify its use.


-----Original Message-----
From: Dick Hardt [mailto:dick@sxip.com] 
Sent: Thursday, 26 April 2007 8:10 AM
To: Thomas Stephen (SKD8YPG)
Cc: public-usable-authentication@w3.org
Subject: Re: DNSSEC indicator

There is unlikely to be a single silver bullet that solves *all* the  
issues. It is useful to know that the client really is connected to  
www.micros0ft.com if that is what the client wants to connect to.

DNSSEC is not going to solve social phishing attacks, but it does  
enable other technology such as CardSpace etc. to have increased  
certainty on what is going on.

-- Dick

Received on Thursday, 26 April 2007 12:48:00 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:16 UTC