Re: ISSUE-127: Safe Form Bar: Separate MITM handling? [Techniques]

On 2007-10-11 20:35:34 -0000, Close, Tyler J. wrote:

> > I propose to replace the MITM handling [1] in the Safe Form 
> > Bar with a reference to [2]. Specific issues with the current 
> > text at [1]:
> > 
> > - It's inconsistent with MITM handling elsewhere in the spec, 
> > in particular [2].
> 
> The MITM detection in the editor bar is stronger than what can be
> specified elsewhere in the spec, since the editor bar can use its
> history database to detect a CA substitution attack. For example,
> if in the past a site has used ExampleCA, and is now using
> Example2CA, and the certificates don't meet any of the other
> match cases [1], the editor bar can say it's an MITM. Other parts
> of the spec can at best present a warning saying the cert is
> unrecognized, but may or may not be legitimate.

Assuming that Example2CA isn't trusted, both parts of the spec
should detect the attack, as both use historical knowledge.

Assuming Example2CA is trusted, I'd argue no attack should be
diagnosed.

Basically, it seems like both parts of the spec are fairly close on
this.  The main difference is that the safe form bar includes its
own set of certificate matching rules, for which Hal had already
identified some issues.

> > - The phrase that suggests sending a notification should be removed.

> Why shouldn't the user be given the option of reporting the attack?

> I think it's important to always give the user a path forward;
> otherwise, they'll find their own, with likely negative
> consequences. In this case, reporting the attack is the best
> available option. The user agent SHOULD point this out and not
> leave the user to guess at what to do next.

Mostly because the way forward here simply isn't.

As we discussed, WHOIS is *not* an enabler for a useful service for
this particular use case.

-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Thursday, 11 October 2007 20:57:31 UTC