Well, you said that this "is the poster child for exploiting browser state." For it to be a serious threat that warrants consideration, you must assume that most users read certificate data (regardless of whether the browser is actually throwing a warning). If we can assume that most users do *not* read this information, then there's a plethora of much easier/likelier attacks. That is, it's a waste of time worrying about how a burglar might pick your fancy new lock when you regularly leave all the windows open. serge Thomas Roessler wrote: > On 2007-07-11 21:09:33 -0400, Serge Egelman wrote: > >> Sure, that's a valid point. However, your fatal error is >> assuming that a user is going to read the details of the cert. > > I didn't assume that. > -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */Received on Wednesday, 18 July 2007 13:48:57 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:50 GMT