- From: <michael.mccormick@wellsfargo.com>
- Date: Tue, 17 Apr 2007 09:37:40 -0500
- To: <Mary_Ellen_Zurko@notesdev.ibm.com>
- Cc: <public-wsc-wg@w3.org>
- Message-ID: <8A794A6D6932D146B2949441ECFC9D6802B4D39E@msgswbmnmsp17.wellsfargo.com>
For everyone's benefit, FSTC browser enhancement MM15 says: "Display
warning when a hostname is resolved via local HOST file instead of DNS."
This is a critical piece of information. Local host files have become a
dangerous attack vector for criminals who don't want all the bother and
risk of trying to poison public DNS servers.
I'll admit this is going to be hard thing to explain to less technical
users. A good tech writer could do better, but I would suggest
something like:
"Your computer is using a non-standard method to determine the
Internet address of web site www.example.com. This method uses the file
c:\windows\system32\drivers\etc\hosts on your computer instead of the
normal Domain Name Service (DNS) to look up the web server name. It is
highly unusual to have a web server name in this file, and may indicate
the presence of malicious software on your machine. However if you or
your administrator deliberately put this web server name in the file,
then you can safely disregard this warning and proceed."
I guess this points to the need for a multimodal UI that presents
different error messages & indicators to different users depending on
their level of technical ability?
Mike
_____
From: Mary Ellen Zurko [mailto:Mary_Ellen_Zurko@notesdev.ibm.com]
Sent: Monday, April 16, 2007 2:09 PM
To: McCormick, Mike
Cc: public-wsc-wg@w3.org
Subject: RE: Recommendations for "Lightening Discussions" at next week's
meeting
Hi Mike,
On MM15 (sorry, I can't figure out how to copy text from the pdf) - what
would a clear and actionable error about resolving a hostname via local
host files instead of DNS look like? I personally would have no idea
what to do in the face of such an error (so I would ignore it).
Mez
Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect
<michael.mccormick@wellsfargo.com>
Sent by: public-wsc-wg-request@w3.org
04/03/2007 07:41 PM
To
<Mary_Ellen_Zurko@notesdev.ibm.com>
cc
<Chuck@Interisle.net>, <dan.schutzer@fstc.org>, <public-wsc-wg@w3.org>
Subject
RE: Recommendations for "Lightening Discussions" at next week's meeting
I've taken the liberty of attaching a 3rd document to Chuck Wade's
useful list of FSTC Contributed Documents page at
<http://www.w3.org/2006/WSC/wiki/DocsRepository/FSTC_Contributed_Documen
ts
<http://www.w3.org/2006/WSC/wiki/DocsRepository/FSTC_Contributed_Documen
ts> > titled "FSTC BMA Browser Recommendations".
I've also added it to the list of links on the Recommendations tracking
page as you requested.
FSTC provided this document to W3C prior to launch of WSC (at the
workshop in Queens) so there should be no problem sharing it again. It
was created by Chuck Wade collecting input from members of the Better
Mutual Authentication Working Group 2. Browser enhancements labeled MMx
(e.g., "MM3") were provided by me in an earlier private communication.
Most of mine are recommendations to improve browser SSL/TLS and X.509
certificate handling. Some are probably out of scope for WSC but the
document is organized to separate UI improvements from infrastructure &
protocol proposals.
Mike M
_____
From: Mary Ellen Zurko [mailto:Mary_Ellen_Zurko@notesdev.ibm.com]
Sent: Monday, April 02, 2007 10:40 AM
To: McCormick, Mike
Subject: RE: Recommendations for "Lightening Discussions" at next week's
meeting
Please do share them. And please also point to them in the wiki where we
are tracking recommendation proposals.
Mez
Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect
<michael.mccormick@wellsfargo.com>
04/02/2007 10:31 AM
To
<Mary_Ellen_Zurko@notesdev.ibm.com>, <pbaker@verisign.com>,
<tyler.close@hp.com>, <Bob.Pinheiro@FSTC.org>
cc
<public-wsc-wg@w3.org>
Subject
RE: Recommendations for "Lightening Discussions" at next week's meeting
Hi MEZ,
Unfortunately the new weekly meeting time conflicts with a standing
meeting related to my day job, which is why you haven't had the pleasure
of my company lately.
As it happens I do have some specific suggestions for improving SSL/TLS
cert handling in browsers, which I can share with the group via email.
Mike M.
_____
From: Mary Ellen Zurko [mailto:Mary_Ellen_Zurko@notesdev.ibm.com]
Sent: Friday, March 30, 2007 1:42 PM
To: Hallam-Baker, Phillip; tyler.close@hp.com; McCormick, Mike;
Bob.Pinheiro@FSTC.org
Cc: public-wsc-wg@w3.org
Subject: Recommendations for "Lightening Discussions" at next week's
meeting
As we discussed, I'll pick 4 recommendations for 15 minute "Lightening
Discussions" at our next meeting.
Going top down in the recommendations section in:
http://www.w3.org/2006/WSC/wiki/RecommendationIndex
Phil, will you be making any recommendations related to EV handling?
Tyler, does PersonallyIdentifiableInformationEditorBar
<http://www.w3.org/2006/WSC/wiki/PersonallyIdentifiableInformationEditor
Bar> supercede the PetName Tool demo/reference there? If so, you or I
should pull that line.
Does anyone volunteer to look through ContextPresentation to see if
there's anything there that should be turned into a recommendation
topic?
Michael M, are there any recommendations you want to make around
existing SSL and Certificate handling practices?
Bob, will you or someone else be leading the "lightening discussion" on
Safe Browsing Mode?
Phil, will you be well enough by Wednesday to do a "ligtening
discussion" on Virtual Hosting and TLS?
Tyler, will you be available for a "Lightening discussion" on the PIIEB
next Wednesday?
Are there any other items that should be listed there as ready for a
"lightening discussion"?
Mez
Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect
Received on Tuesday, 17 April 2007 14:41:26 UTC