- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Wed, 18 Jul 2007 09:48:11 -0400
- To: Serge Egelman <egelman@cs.cmu.edu>, Johnathan Nightingale <johnath@mozilla.com>, W3C WSC Public <public-wsc-wg@w3.org>
Well, you said that this "is the poster child for exploiting browser state." For it to be a serious threat that warrants consideration, you must assume that most users read certificate data (regardless of whether the browser is actually throwing a warning). If we can assume that most users do *not* read this information, then there's a plethora of much easier/likelier attacks. That is, it's a waste of time worrying about how a burglar might pick your fancy new lock when you regularly leave all the windows open. serge Thomas Roessler wrote: > On 2007-07-11 21:09:33 -0400, Serge Egelman wrote: > >> Sure, that's a valid point. However, your fatal error is >> assuming that a user is going to read the details of the cert. > > I didn't assume that. > -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Wednesday, 18 July 2007 13:48:57 UTC