- From: Timothy Hahn <hahnt@us.ibm.com>
- Date: Wed, 14 Mar 2007 10:01:23 -0400
- To: public-wsc-wg@w3.org
- Message-ID: <OF2CCC50D3.BAA289CA-ON8525729E.004A8041-8525729E.004D07E6@us.ibm.com>
Hi all, Here's an interesting one I stumbled upon yesterday. I'm posting it here for folks to consider, comment, and possibly help us in building the various recommendations we're starting to build. I have tried to obfuscate the specific companies involved, but I suspect you may wind up seeing through it anyway. I received a notice that the battery in my notebook computer may be recalled. It had a link in it for the company's support site. (e-mail message came from IBM support - seemed to have all the right icons - looked like a Notes ID sent it, not a Internet mail address) At the company's support site, I was prompted for my battery serial number - I provided it since this isn't information that identifies me personally and I can understand needing this information to help me out, and then was told that yes, indeed, my battery was being recalled. To get the replacement, I was dropped into a page (SSL-protected) to enter my name/address info for shipping purposes. Here's where it got interesting. On page load - Firefox popped up a message telling me it didn't like the company's Server certificate!!! So I investigated. The indication was that the cert was signed by an unknown signer. So I looked at the signer information. It said "Verisign Class 3 ..." from "Verisign. Inc.". So I looked at my set of known CA signer certificates ... I have 3 (count 'em 3) Verisign Class 3 CA signer certificates known to my Firefox install. So how could it be that I don't have the "right one"? (actually, I know how it could be - Verisign created a new one, and I didn't know I was supposed to go out and get it ... or I have a Firefox install that hadn't had the right CA signer's update applied). Everything looks right ... even to my eyes which ought to know better ... what could possibly be the issue? I went back to the site this morning to try and re-create but alas, it won't let me enter the same battery serial number twice so I can't get to the page. Bottom line - even after doing everything I thought I should do to check, I was still dumbfounded as to what the problem/issue was. And yes, sad as it sounds, I boldly accepted/closed the pop-up boxes and entered my address anyway. After all, I don't want my battery to melt my kitchen table so I had to tell them my shipping address. Was it a configuration issue or did I just get phished? ... and how would my mother know the difference if it was her trying to figure it out? I'm looking forward to your comments on this. How would we tell end users, server site administrators, help desk personnel, and others how to address such a situation? Who could be considered to be "at fault" (if anyone)? Regards, Tim Hahn Internet: hahnt@us.ibm.com Internal: Timothy Hahn/Durham/IBM@IBMUS phone: 919.224.1565 tie-line: 8/687.1565 fax: 919.224.2530
Received on Wednesday, 14 March 2007 14:03:04 UTC