I notice you didn't comment on the liability implications at the end of my reply ;-) I don't see a huge upside to breaking standards, I do see a huge potential downside. I would be willing to consider it if it helped in the common case - which I think it might for the example of https://example.comand https://www.example.com - i.e. maybe we special case www. But beyond that, I don't know if it's common enough to provide any real upside, and I am fairly certain that there's a huge risk in breaking a spec like SSL... -Ian On 10/12/07, Thomas Roessler <tlr@w3.org> wrote: > > On 2007-10-12 09:29:56 -0700, Ian Fette wrote: > > >> Of the number of sites that yield warnings for this (where the > >> certificate was granted for the domain, but the subdomain > >> doesn't match), how many are malicious? How many times is it > >> benign when this warning appears? > > > The point isn't how many of these such sites are currently > > malicious. > > Well, if you want to consider the habituation effect that occurs, a > warning that mostly cries wolf is significantly worse than one > that's mostly right. > > In particular, if a warning mostly occurs under legitimate > circumstances, the attack vector might not even be new. > > The question is really whether the survey that Johnathan was citing > (i.e., current warnings have an effect in something like 40% of all > cases) is right, or whether the assumption is right that the current > warnings are largely ignored. > > -- > Thomas Roessler, W3C <tlr@w3.org> >
Received on Friday, 12 October 2007 16:57:37 UTC