- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Wed, 6 Dec 2006 12:32:59 -0600
- To: "W3 Work Group" <public-wsc-wg@w3.org>
Amir Herzberg wrote: > I agree. But more: the reality is that most web pages are > not SSL/TLS protected. In such cases, the domain names > provides the only (very limited) mechanism of > identification. It is secure against weak attackers, not > against DNS controlling or MITM attackers, of course, and > only to the extent that users can validate the URL/domain. > So I agree it is very weak protection. Still, as long as > most sites are not using SSL, I find it very hard to give > up on this limited identification mechanism. So what are the risks? Since we agree that the current URL display for non-SSL sites is "very weak protection", really the only thing preventing attack is lack of interest from attackers. Removing the "very weak protection" is not going to increase the value of the 'protected' assets. I also argue that "very weak protection" is too high praise for the display of http:// URLs. I think the display actually works in the attacker's favor. Since the display is easily subverted by the DNS tricks of a rogue wireless access point, a user who is accustomed to relying on the URL display is easy prey. The truth is that when talking http: over a wireless network, you should assume you are talking to a stranger. If we ease the user into acting otherwise, we're helping the phisher. So, if the host web site doesn't think the served resources are worth protecting, we don't need to pretend to protect them. Further, such make believe can deceive the user and undermine our protection of more highly valued assets. Tyler
Received on Wednesday, 6 December 2006 18:33:12 UTC