W3C home > Mailing lists > Public > public-wsc-wg@w3.org > July 2007

Re: ACTION-240 :TLS errors...

From: Serge Egelman <egelman@cs.cmu.edu>
Date: Mon, 09 Jul 2007 13:33:36 -0400
Message-ID: <46927170.10102@cs.cmu.edu>
To: michael.mccormick@wellsfargo.com
CC: stephen.farrell@cs.tcd.ie, wdoyle@mitre.org, tlr@w3.org, public-wsc-wg@w3.org

How is the risk that much greater for a self-signed certificate than a 
standard CA-signed one?  Since a certificate can be purchased for $20, a 
self-signed cert is effectively as secure.  Now, what about expired 
certificates?  Can anyone really argue that an expired certificate is 
riskier than a self-signed one?  I would argue that most of the current 
SSL-related warning messages have little impact on the user's security. 
   The only current browser error with regard to certificates that 
should actually be meaningful is if a certificate has been revoked.

Most of the current errors can be eliminated.  I think the only one that 
we need to consider for most users is revocation.


michael.mccormick@wellsfargo.com wrote:
> This is where the risk aspect becomes important.  A site with a SSC is
> fine for blogging but probably not for conducting financial
> transactions.  The user needs advice regarding the risk of a TLS error
> versus the risk of the transactions s/he plans to conduct on the site.
> Mike 
> -----Original Message-----
> From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] 
> Sent: Monday, July 09, 2007 11:58 AM
> To: McCormick, Mike
> Cc: wdoyle@mitre.org; tlr@w3.org; public-wsc-wg@w3.org
> Subject: Re: ACTION-240 :TLS errors...
> michael.mccormick@wellsfargo.com wrote:
>> Hi Bill,
>> 1. A current fundamental problem IMO is web agents display security 
>> errors without providing the user with any means to interpret them 
>> from a risk perspective.  Most users don't want to know technical 
>> details of a TLS error; they won't to know what the risk implication 
>> is.  So I certainly hope it's within WSC scope to make a 
>> recommendation in this area.
>> 2. A self-signed cert that causes an error message by definition was 
>> not issued by a trusted authority.  Should users trust web sites to 
>> act on their own behalf as certificate authorities?  It's an 
>> interesting question.  One has to keep in mind that a malicious https 
>> web site is probably going to use a SSC.  Whereas the only reason a 
>> benign web site should use a SSC is economic; to avoid the cost of 
>> paying money to VeriSign et al.  Maybe the world needs a free but 
>> trustworthy CA, but that problem is outside WSC scope.  I think we can
>> say the presence of a SSC indicates somewhat higher risk than a TLS 
>> cert issued by a reputable trusted CA.
> While I sympathise, I'm not sure I agree.
> How may times are phishes directed to hacked servers? Surely many of
> those have good server certs?
> So, I don't agree that an SSC means "more risky" in general.
> However, for someone claiming to be a bank or commerce site then
> correct. For a "community" site, I don't think the SSC determines risk
> at all well,
> S.

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
Received on Monday, 9 July 2007 17:35:11 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:17 UTC