- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Thu, 14 Dec 2006 12:21:31 -0600
- To: "W3 Work Group" <public-wsc-wg@w3.org>
Hi Phillip, Hallam-Baker, Phillip wrote: > In particular the user should not be warned about > administrative security defects. This might sound > counterintuitive. What is the point of having security > if the user is not told when it fails? But in the Web > today the majority of Web sites have no security at > all. Adding security measures should never reduce the > quality of the user experience. > > Instead of warning the user that the site certificate > is invalid the browser should display the site in the > same manner as any other insecure page. That is the > browser should not display the padlock icon. I very much wish the above approach were technically feasible; unfortunately, there are some complications. The problem is that the initial GET request potentially contains a lot of sensitive information that should not be revealed to the server if the server is an imposter. For example, consider the URL https://www.example.com/?jsessionid=ASDFASDFASDF, where there exists a www.example.com web site with a valid CA certified certificate. Consider the case where the user's browser connects to the Internet through a rogue wireless access point and so is directed to a spoof of the www.example.com web site which presents a self-signed certificate. If the browser proceeds with the GET request anyways, the spoof site will receive the user's URL encoded sesssion id, as well as any cookies set up by the real www.example.com web site. At that point, the phishing attack has succeeded. So unfortunately, I think the current browser behaviour of making an HTTPS web site with an invalid, or self-signed, certificate less usable than an HTTP web site is inescapable. It's terribly counter-intuitive and works against the deployment of SSL, but I don't see how to fix it without making protocol changes. The one saving grace is the advent of domain-validated certificates, which reduce the cost of deploying SSL. Tyler
Received on Thursday, 14 December 2006 18:21:59 UTC