W3C home > Mailing lists > Public > public-wsc-wg@w3.org > July 2007

Re: ACTION-240 :TLS errors...

From: Serge Egelman <egelman@cs.cmu.edu>
Date: Wed, 18 Jul 2007 09:48:11 -0400
Message-ID: <469E1A1B.7070403@cs.cmu.edu>
To: Serge Egelman <egelman@cs.cmu.edu>, Johnathan Nightingale <johnath@mozilla.com>, W3C WSC Public <public-wsc-wg@w3.org>

Well, you said that this "is the poster child for exploiting browser
state."  For it to be a serious threat that warrants consideration, you
must assume that most users read certificate data (regardless of whether
the browser is actually throwing a warning).  If we can assume that most
users do *not* read this information, then there's a plethora of much
easier/likelier attacks.

That is, it's a waste of time worrying about how a burglar might pick
your fancy new lock when you regularly leave all the windows open.

serge

Thomas Roessler wrote:
> On 2007-07-11 21:09:33 -0400, Serge Egelman wrote:
> 
>> Sure, that's a valid point.  However, your fatal error is
>> assuming that a user is going to read the details of the cert.
> 
> I didn't assume that.
> 

-- 
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/
Received on Wednesday, 18 July 2007 13:48:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:50 GMT