Re: ACTION-272: self-signed certificates

We went over this.  The $20 GoDaddy example I cited before.  I 
registered a domain and purchased a certificate using PayPal, and it's 
all under Stephen's name.  Nothing is linked back to me, there is zero 
accountability (BTW: Johnathan said that he'd pull the root if this were 
the case, though I doubt that's happened).  If I were a phisher, and 
this scheme worked (let's pretend that user's will notice, understand, 
and obey the SSC indicators---which we currently know to not be the 
case), I'd start dropping $20 for each site to get a real CA-signed 
certificate.

The current figures state that phishers make anywhere from $250-1000 per 
victim.  Dropping $20 really isn't a big deal.  Hell, dropping $500 on 
an EV cert may be worth it, if we can ever come up with useful 
indicators, but that's a different matter...

I really think that we should just classify non-EV and SSC certificates 
as the same thing: only useful for encryption.  We show an encryption 
indicator, which will only be noticed by the tech-savvy users anyway. 
And then we primarily focus on consistency.


serge

Thomas Roessler wrote:
> On 2007-07-30 18:17:10 -0400, Serge Egelman wrote:
> 
>> And again, how is the self-signed certificate any more
>> trustworthy than a low-assurance certificate?  It would seem that
>> the best solution should be to *only* keep track of consistency.
> 
> What's your definition of low-assurance?  "unknown CA"?
> 
> (In fact, you're probably right that the same unknown-CA cert seen
> over an extended amount of time should be seen as as good as a
> self-signed one, and be subject to the same kind of consistency
> tracking.)
> 
> Cheers,

-- 
/*
PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/

Received on Monday, 30 July 2007 22:47:29 UTC