W3C home > Mailing lists > Public > www-archive@w3.org > October 2013

Re: [TLS] SSL/TLS and HTTPS in a Post-Prism Era

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Thu, 17 Oct 2013 00:02:41 +0200
To: Ralf Skyper Kaiser <skyper@thc.org>
Cc: www-archive@w3.org
Message-ID: <mc2u59pj1ck4p2qjrcd35a9aaotufnhubi@hive.bjoern.hoehrmann.de>
* Ralf Skyper Kaiser wrote:
>The summary also contains some (but not all) proposed security solutions
>and enhancements for the 'CA Trust Problem' and some general security
>enhancement for the deployment of SSL/TLS.
>
>Comments and feedback are welcome.
>
>https://thc.org/ssl

In section 5.7 I do not quite follow the scenario in which this happens,
"In all current web browser implementations a pop-up warns the user of
an unknown HTTPS connection attempt. A fingerprint is displayed to the
user and the user is encouraged to verify the fingerprint (by magical
means) before clicking 'continue'", and I do not recall seeing finger-
prints without clicking through dialogs on any certificate error in any
browser, and nowdays browsers do not offer detailed information about
certificates anymore (IE and Firefox display an error page from which
you cannot obtain certificate details, Opera 12.x does display a dialog
with details, but it's entirely unusable as it resets the dialog every
few seconds) ... anyway, the suggestion "The user should be asked to
insert the correct fingerprint" seems rather strange, given the remark
about the "magical means" beforehand. Having ordinary users enter some
kind of fingerprint anywhere seems to be a non-starter, in any case...

In section 6.1, BCPs are RFCs.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Wednesday, 16 October 2013 22:03:03 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:44:26 UTC