Re: Action Item 18 - understand/visualize the strength of SSL from George Staikos on 2006-12-04 (public-wsc-wg@w3.org from December 2006)

From: George Staikos <staikos@kde.org>
Date: Mon, 4 Dec 2006 16:21:47 +0000
To: W3 Work Group <public-wsc-wg@w3.org>
Message-Id: <A9153D51-8682-4EA5-992D-A64B7C6010EA@kde.org>

On 20-Nov-06, at 7:53 PM, Doyle, Bill wrote:

> Action Item 18  - Formalize the need to be able to understand/ 
> visualize the "strength" of SSL protection in place
>
> The strength of SSL protection is based on a negotiated session  
> between a server and a users browser. The SSL protocol provides  
> mechanisms for the server and browser to identify cipher suites  
> that they have in common and negotiate mutually acceptable ciphers.  
> Configuration settings may allow the use of different cipher suites  
> that could impacting the actual strength of SSL.. Many browsers use  
> an on/off presentation to display SSL noting that SSL is either  
> protecting the session or not. A binary representation of SSL (on/ 
> off) gives the user the impression that each site that uses SSL  
> provides an equal level of protection.
>
> Browsers should make use of SSL session information and present  
> this information in a way that depicts the actual strength of the  
> SSL connection. Ways to define strength could include the use of  
> the latest cipher suites and longest keys allowed.

   I actually disagree with this and we would not consider  
implementing such a thing in Konqueror at this time.  I think the  
onus should be on the browser developer to remove the ciphers  
considered too weak for general purpose use, and I think that the  
browser is a general-purpose application.  I would prefer to  
recommend that the NSA write their own browser if they have issues  
with RC4-SHA1 or whatever is the standard of the week.  We, the  
browser developers, have had an ongoing effort to reduce the  
complexity of indicators and consolidate the decision making  
process.  We don't want users to have to judge if 75% security is  
good enough, or if they should go for 80% (whatever those mean  
anyway).  We need to have a set of criteria that enable us to make a  
boolean decision.

    Imagine this: a Mac OS system that asks you to tell it if you are  
happy with a "security level of 68.343% based on a set of 18  
criteria, click |> for more details".  And yet, they're selling more  
systems quarter-over-quarter than ever before.  I consider these  
details to be information overload, and I consider information  
overload to be counter-productive to improving security and the  
security decision-making process.  I am far more prepared to remove  
the weakest 30% of ciphers from my browser altogether.

--
George Staikos
KDE Developer				http://www.kde.org/
Staikos Computing Services Inc.		http://www.staikos.net/

Received on Monday, 4 December 2006 18:20:41 UTC